Fixed bug #70912 (Null ptr dereference instantiating class with invalid array property)

laruence · laruence · commit 25de928df77d · 2015-11-13T21:24:42.000+08:00
diff --git a/NEWS b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2015, PHP 7.0.1
 
 - Core:
+  . Fixed bug #70912 (Null ptr dereference instantiating class with invalid
+    array property). (Laruence)
   . Fixed bug #70898, #70895 (null ptr deref and segfault with crafted callable).
     (Anatol, Laruence)
 
diff --git a/Zend/tests/bug70912.phpt b/Zend/tests/bug70912.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #70912 (Null ptr dereference when class property is initialised to a dereferenced value)
+--FILE--
+<?php
+class A {
+	public $a=[][];
+}
+?>
+--EXPECTF--
+Fatal error: Cannot use [] for reading in %sbug70912.php on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
@@ -7381,12 +7381,15 @@ void zend_eval_const_expr(zend_ast **ast_ptr) /* {{{ */
 		case ZEND_AST_DIM:
 		{
 			/* constant expression should be always read context ... */
-
 			zval *container, *dim;
 
+			if (ast->child[1] == NULL) {
+				zend_error_noreturn(E_COMPILE_ERROR, "Cannot use [] for reading");
+			}
+
 			zend_eval_const_expr(&ast->child[0]);
 			zend_eval_const_expr(&ast->child[1]);
-			if (!ast->child[0] || !ast->child[1] || ast->child[0]->kind != ZEND_AST_ZVAL || ast->child[1]->kind != ZEND_AST_ZVAL) {
+			if (ast->child[0]->kind != ZEND_AST_ZVAL || ast->child[1]->kind != ZEND_AST_ZVAL) {
 				return;
 			}
 
