Skip to content

Commit 7372a3e

Browse files
committed
Merge branch 'PHP-8.0'
* PHP-8.0: Fix Bug #80972: Memory exhaustion on invalid string offset
2 parents f9d1a72 + 418fcd2 commit 7372a3e

File tree

5 files changed

+53
-7
lines changed

5 files changed

+53
-7
lines changed

Zend/tests/bug31098.phpt

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,11 +35,12 @@ try {
3535
}
3636
echo $simpleString["0"] === "B"?"ok\n":"bug\n";
3737
try {
38+
/* This must not affect the string value */
3839
$simpleString["wrong"] = "f";
3940
} catch (\TypeError $e) {
4041
echo $e->getMessage() . \PHP_EOL;
4142
}
42-
echo $simpleString["0"] === "f"?"ok\n":"bug\n";
43+
echo $simpleString["0"] === "B"?"ok\n":"bug\n";
4344
?>
4445
--EXPECTF--
4546
bool(false)

Zend/tests/bug53432.phpt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,7 @@ Warning: Illegal string offset -1 in %s on line %d
5858
NULL
5959
string(0) ""
6060
Cannot access offset of type string on string
61-
string(1) "a"
61+
string(0) ""
6262
Error: [] operator not supported for strings
6363
string(0) ""
6464
Error: Cannot use assign-op operators with string offsets

Zend/tests/bug80972.phpt

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
--TEST--
2+
Bug #80972: Memory exhaustion on invalid string offset
3+
--FILE--
4+
<?php
5+
6+
function exceptions_error_handler($severity, $message, $filename, $lineno) {
7+
if (error_reporting() & $severity) {
8+
throw new ErrorException($message, 0, $severity, $filename, $lineno);
9+
}
10+
}
11+
set_error_handler('exceptions_error_handler');
12+
13+
$float = 10e120;
14+
$string_float = (string) $float;
15+
16+
$string = 'Here is some text for good measure';
17+
18+
try {
19+
echo 'Float casted to string compile', \PHP_EOL;
20+
$string[(string) 10e120] = 'E';
21+
var_dump($string);
22+
} catch (\TypeError $e) {
23+
echo $e->getMessage(), \PHP_EOL;
24+
}
25+
26+
/* This same bug also permits to modify the first byte of a string even if
27+
* the offset is invalid */
28+
try {
29+
/* This must not affect the string value */
30+
$string["wrong"] = "f";
31+
} catch (\Throwable $e) {
32+
echo $e->getMessage() . \PHP_EOL;
33+
}
34+
var_dump($string);
35+
36+
?>
37+
--EXPECT--
38+
Float casted to string compile
39+
Cannot access offset of type string on string
40+
Cannot access offset of type string on string
41+
string(34) "Here is some text for good measure"

Zend/tests/indexing_001.phpt

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ foreach ($testvalues as $testvalue) {
5252
}
5353

5454
?>
55-
--EXPECTF--
55+
--EXPECT--
5656
*** Indexing - Testing value assignment with key ***
5757
array(1) {
5858
["foo"]=>
@@ -74,12 +74,8 @@ array(1) {
7474
int(1)
7575
}
7676
}
77-
78-
Warning: Array to string conversion in %s on line %d
7977
Cannot access offset of type string on string
8078
string(0) ""
81-
82-
Warning: Array to string conversion in %s on line %d
8379
Cannot access offset of type string on string
8480
string(1) " "
8581
Cannot use a scalar value as an array

Zend/zend_execute.c

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1592,6 +1592,14 @@ static zend_never_inline void zend_assign_to_string_offset(zval *str, zval *dim,
15921592
zend_long offset;
15931593

15941594
offset = zend_check_string_offset(dim, BP_VAR_W EXECUTE_DATA_CC);
1595+
/* Illegal offset assignment */
1596+
if (UNEXPECTED(EG(exception) != NULL)) {
1597+
if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
1598+
ZVAL_UNDEF(EX_VAR(opline->result.var));
1599+
}
1600+
return;
1601+
}
1602+
15951603
if (offset < -(zend_long)Z_STRLEN_P(str)) {
15961604
/* Error on negative offset */
15971605
zend_error(E_WARNING, "Illegal string offset " ZEND_LONG_FMT, offset);

0 commit comments

Comments
 (0)