archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fixed bug #75241 (Null pointer dereference in zend_mm_alloc_small()).

Browse source
This commit is contained in:
Xinchen Hui 2017-09-24 17:24:11 +08:00
parent db63367871
commit b05ff14a9a
3 changed files with 18 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
NEWS
View file

@ -3,6 +3,8 @@ PHP NEWS
?? ??? 2017 PHP 7.0.25 ?? ??? 2017 PHP 7.0.25
- Core: - Core:
. Fixed bug #75241 (Null pointer dereference in zend_mm_alloc_small()).
(Laruence)
. Fixed bug #75236 (infinite loop when printing an error-message). (Andrea) . Fixed bug #75236 (infinite loop when printing an error-message). (Andrea)
. Fixed bug #75252 (Incorrect token formatting on two parse errors in one . Fixed bug #75252 (Incorrect token formatting on two parse errors in one
request). (Nikita) request). (Nikita)

13
Zend/tests/bug75241.phpt Normal file
View file

@ -0,0 +1,13 @@
--TEST--
Bug #75241 (Null pointer dereference in zend_mm_alloc_small())
--FILE--
<?php
function eh(){}
set_error_handler('eh');
$d->d = &$d + $d->d/=0;
var_dump($d);
?>
--EXPECT--
float(INF)

4
Zend/zend_operators.c
View file

@ -221,8 +221,10 @@ try_again:
if (Z_TYPE(holder) == IS_LONG) { \ if (Z_TYPE(holder) == IS_LONG) { \
if (op == result) { \ if (op == result) { \
zval_ptr_dtor(op); \ zval_ptr_dtor(op); \
ZVAL_LONG(op, Z_LVAL(holder)); \
} else { \
(op) = &(holder); \
} \ } \
(op) = &(holder); \
} \ } \
break; \ break; \
} \ } \