Fix yet another indirect string modification by error handler problem

dstogov · dstogov · commit 94286cd596b4 · 2021-12-02T16:16:54.000+03:00
diff --git a/Zend/tests/str_offset_008.phpt b/Zend/tests/str_offset_008.phpt
@@ -0,0 +1,18 @@
+--TEST--
+string offset 008 indirect string modification by error handler
+--FILE--
+<?php
+set_error_handler(function($code, $msg) {
+    echo "Err: $msg\n";
+    $GLOBALS['a']=8;
+});
+$z = "z";
+$a=["xx$z"];
+var_dump($a[0][$b]);
+var_dump($a);
+?>
+--EXPECT--
+Err: Undefined variable $b
+Err: String offset cast occurred
+string(1) "x"
+int(8)
diff --git a/ext/opcache/jit/zend_jit_helpers.c b/ext/opcache/jit/zend_jit_helpers.c
@@ -921,7 +921,15 @@ static zend_string* ZEND_FASTCALL zend_jit_fetch_dim_str_r_helper(zend_string *s
 	zend_long offset;
 
 	if (UNEXPECTED(Z_TYPE_P(dim) != IS_LONG)) {
+		if (!(GC_FLAGS(str) & IS_STR_INTERNED)) {
+			GC_ADDREF(str);
+		}
 		offset = zend_check_string_offset(dim/*, BP_VAR_R*/);
+		if (!(GC_FLAGS(str) & IS_STR_INTERNED) && UNEXPECTED(GC_DELREF(str) == 0)) {
+			zend_string *ret = zend_jit_fetch_dim_str_offset(str, offset);
+			zend_string_efree(str);
+			return ret;
+		}
 	} else {
 		offset = Z_LVAL_P(dim);
 	}
