Fixed bug #72162 (use-after-free - error_reporting)

laruence · laruence · commit 919186212141 · 2016-05-05T11:02:21.000+08:00
diff --git a/NEWS b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2016 PHP 7.0.7
 
 - Core:
+  . Fixed bug #72162 (use-after-free - error_reporting). (Laruence)
   . Add compiler option to disable special case function calls. (Joe)
   . Fixed bug #72101 (crash on complex code). (Dmitry)
   . Fixed bug #72100 (implode() inserts garbage into resulting string when
diff --git a/Zend/tests/bug72162.phpt b/Zend/tests/bug72162.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #72162 (use-after-free - error_reporting)
+--FILE--
+<?php
+error_reporting(1);
+$var11 = new StdClass();
+$var16 = error_reporting($var11);
+?>
+okey
+--EXPECT--
+okey
diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
@@ -704,7 +704,8 @@ ZEND_FUNCTION(error_reporting)
 #endif
 
 	old_error_reporting = EG(error_reporting);
-	if(ZEND_NUM_ARGS() != 0) {
+	if (ZEND_NUM_ARGS() != 0) {
+		zend_string *new_val = zval_get_string(err);
 		do {
 			zend_ini_entry *p = EG(error_reporting_ini_entry);
 
@@ -730,7 +731,7 @@ ZEND_FUNCTION(error_reporting)
 				zend_string_release(p->value);
 			}
 
-			p->value = zval_get_string(err);
+			p->value = new_val;
 			if (Z_TYPE_P(err) == IS_LONG) {
 				EG(error_reporting) = Z_LVAL_P(err);
 			} else {
