Skip to content

Commit 6e96aba

Browse files
dstogovdstogov
committed
Fixed bug #40833 (Crash when using unset() on an ArrayAccess object retrieved via __get()).
1 parent 03a3291 commit 6e96aba

File tree

3 files changed

+85
-13
lines changed

3 files changed

+85
-13
lines changed

Zend/tests/bug40833.phpt

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
--TEST--
2+
Bug #40833 (Crash when using unset() on an ArrayAccess object retrieved via __get)
3+
--FILE--
4+
<?php
5+
class entity
6+
{
7+
private $data;
8+
private $modified;
9+
10+
function __get($name)
11+
{
12+
if ( isset($this->data[$name]) )
13+
return $this->data[$name];
14+
else
15+
return $this->data[$name] = new set($this);
16+
}
17+
18+
function __set($name, $value)
19+
{
20+
$this->modified[$name] = $value;
21+
}
22+
}
23+
24+
class set implements ArrayAccess
25+
{
26+
private $entity;
27+
28+
function __construct($entity)
29+
{
30+
$this->entity = $entity;
31+
$this->entity->whatever = $this;
32+
}
33+
34+
function clear() {
35+
$this->entity->whatever = null;
36+
}
37+
38+
function offsetUnset($offset)
39+
{
40+
$this->clear();
41+
// $this->entity->{$this->name} = null;
42+
}
43+
44+
function offsetSet($offset, $value)
45+
{
46+
}
47+
48+
function offsetGet($offset)
49+
{
50+
return 'Bogus ';
51+
}
52+
53+
function offsetExists($offset)
54+
{
55+
}
56+
}
57+
58+
$entity = new entity();
59+
echo($entity->whatever[0]);
60+
61+
//This will crash
62+
// $entity->whatever->clear();
63+
unset($entity->whatever[0]);
64+
65+
//This will not crash (comment previous & uncomment this to test
66+
// $test = $entity->whatever; unset($test[0]);
67+
68+
echo($entity->whatever[0]);
69+
echo "ok\n";
70+
?>
71+
--EXPECT--
72+
Bogus Bogus ok

Zend/zend_vm_def.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1361,7 +1361,7 @@ ZEND_VM_HANDLER(97, ZEND_FETCH_OBJ_UNSET, VAR|UNUSED|CV, CONST|TMP|VAR|CV)
13611361
if (IS_OP2_TMP_FREE()) {
13621362
MAKE_REAL_ZVAL_PTR(property);
13631363
}
1364-
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC);
1364+
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC);
13651365
if (IS_OP2_TMP_FREE()) {
13661366
zval_ptr_dtor(&property);
13671367
} else {

Zend/zend_vm_execute.h

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -9488,7 +9488,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
94889488
if (0) {
94899489
MAKE_REAL_ZVAL_PTR(property);
94909490
}
9491-
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC);
9491+
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC);
94929492
if (0) {
94939493
zval_ptr_dtor(&property);
94949494
} else {
@@ -11027,7 +11027,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
1102711027
if (1) {
1102811028
MAKE_REAL_ZVAL_PTR(property);
1102911029
}
11030-
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC);
11030+
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC);
1103111031
if (1) {
1103211032
zval_ptr_dtor(&property);
1103311033
} else {
@@ -12569,7 +12569,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
1256912569
if (0) {
1257012570
MAKE_REAL_ZVAL_PTR(property);
1257112571
}
12572-
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC);
12572+
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC);
1257312573
if (0) {
1257412574
zval_ptr_dtor(&property);
1257512575
} else {
@@ -14584,7 +14584,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
1458414584
if (0) {
1458514585
MAKE_REAL_ZVAL_PTR(property);
1458614586
}
14587-
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC);
14587+
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC);
1458814588
if (0) {
1458914589
zval_ptr_dtor(&property);
1459014590
} else {
@@ -15878,7 +15878,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_UNUSED_CONST_HANDLER(ZEND_OPCODE_HANDLER_AR
1587815878
if (0) {
1587915879
MAKE_REAL_ZVAL_PTR(property);
1588015880
}
15881-
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC);
15881+
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC);
1588215882
if (0) {
1588315883
zval_ptr_dtor(&property);
1588415884
} else {
@@ -16937,7 +16937,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_UNUSED_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS
1693716937
if (1) {
1693816938
MAKE_REAL_ZVAL_PTR(property);
1693916939
}
16940-
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC);
16940+
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC);
1694116941
if (1) {
1694216942
zval_ptr_dtor(&property);
1694316943
} else {
@@ -17954,7 +17954,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_UNUSED_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS
1795417954
if (0) {
1795517955
MAKE_REAL_ZVAL_PTR(property);
1795617956
}
17957-
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC);
17957+
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC);
1795817958
if (0) {
1795917959
zval_ptr_dtor(&property);
1796017960
} else {
@@ -19236,7 +19236,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_UNUSED_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
1923619236
if (0) {
1923719237
MAKE_REAL_ZVAL_PTR(property);
1923819238
}
19239-
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC);
19239+
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC);
1924019240
if (0) {
1924119241
zval_ptr_dtor(&property);
1924219242
} else {
@@ -21933,7 +21933,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_CV_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
2193321933
if (0) {
2193421934
MAKE_REAL_ZVAL_PTR(property);
2193521935
}
21936-
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC);
21936+
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC);
2193721937
if (0) {
2193821938
zval_ptr_dtor(&property);
2193921939
} else {
@@ -23464,7 +23464,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_CV_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
2346423464
if (1) {
2346523465
MAKE_REAL_ZVAL_PTR(property);
2346623466
}
23467-
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC);
23467+
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC);
2346823468
if (1) {
2346923469
zval_ptr_dtor(&property);
2347023470
} else {
@@ -24998,7 +24998,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
2499824998
if (0) {
2499924999
MAKE_REAL_ZVAL_PTR(property);
2500025000
}
25001-
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC);
25001+
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC);
2500225002
if (0) {
2500325003
zval_ptr_dtor(&property);
2500425004
} else {
@@ -27003,7 +27003,7 @@ static int ZEND_FETCH_OBJ_UNSET_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
2700327003
if (0) {
2700427004
MAKE_REAL_ZVAL_PTR(property);
2700527005
}
27006-
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_R TSRMLS_CC);
27006+
zend_fetch_property_address(RETURN_VALUE_UNUSED(&opline->result)?NULL:&EX_T(opline->result.u.var), container, property, BP_VAR_UNSET TSRMLS_CC);
2700727007
if (0) {
2700827008
zval_ptr_dtor(&property);
2700927009
} else {

0 commit comments

Comments
 (0)