Fix leak for compound shift self-assign error cases

nikic · nikic · commit 98c2ceacf811 · 2015-01-07T23:13:45.000+01:00
diff --git a/Zend/tests/compound_shift_string_error.phpt b/Zend/tests/compound_shift_string_error.phpt
@@ -0,0 +1,31 @@
+--TEST--
+Error cases of compound shift assignment on strings
+--FILE--
+<?php
+
+$n = "65";
+$n <<= $n;
+var_dump($n);
+
+$n = "-1";
+$n <<= $n;
+var_dump($n);
+
+$n = "65";
+$n >>= $n;
+var_dump($n);
+
+$n = "-1";
+$n >>= $n;
+var_dump($n);
+
+?>
+--EXPECTF--
+int(0)
+
+Warning: Bit shift by negative number in %s on line %d
+bool(false)
+int(0)
+
+Warning: Bit shift by negative number in %s on line %d
+bool(false)
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
@@ -1451,6 +1451,10 @@ ZEND_API int shift_left_function(zval *result, zval *op1, zval *op2) /* {{{ */
 
 	convert_op1_op2_long(op1, op1_lval, op2, op2_lval, ZEND_SL, shift_left_function);
 
+	if (op1 == result) {
+		zval_dtor(result);
+	}
+
 	/* prevent wrapping quirkiness on some processors where << 64 + x == << x */
 	if (UNEXPECTED((zend_ulong)op2_lval >= SIZEOF_ZEND_LONG * 8)) {
 		if (EXPECTED(op2_lval > 0)) {
@@ -1463,9 +1467,6 @@ ZEND_API int shift_left_function(zval *result, zval *op1, zval *op2) /* {{{ */
 		}
 	}
 
-	if (op1 == result) {
-		zval_dtor(result);
-	}
 	ZVAL_LONG(result, op1_lval << op2_lval);
 	return SUCCESS;
 }
@@ -1477,6 +1478,10 @@ ZEND_API int shift_right_function(zval *result, zval *op1, zval *op2) /* {{{ */
 
 	convert_op1_op2_long(op1, op1_lval, op2, op2_lval, ZEND_SR, shift_right_function);
 
+	if (op1 == result) {
+		zval_dtor(result);
+	}
+
 	/* prevent wrapping quirkiness on some processors where >> 64 + x == >> x */
 	if (UNEXPECTED((zend_ulong)op2_lval >= SIZEOF_ZEND_LONG * 8)) {
 		if (EXPECTED(op2_lval > 0)) {
@@ -1489,9 +1494,6 @@ ZEND_API int shift_right_function(zval *result, zval *op1, zval *op2) /* {{{ */
 		}
 	}
 
-	if (op1 == result) {
-		zval_dtor(result);
-	}
 	ZVAL_LONG(result, op1_lval >> op2_lval);
 	return SUCCESS;
 }

Original file line number	Diff line number	Diff line change
`@@ -1451,6 +1451,10 @@ ZEND_API int shift_left_function(zval result, zval op1, zval op2) / {{{ */`
`1451`	`1451`
`1452`	`1452`	`convert_op1_op2_long(op1, op1_lval, op2, op2_lval, ZEND_SL, shift_left_function);`
`1453`	`1453`
	`1454`	`+ if (op1 == result) {`
	`1455`	`+ zval_dtor(result);`
	`1456`	`+ }`
	`1457`	`+`
`1454`	`1458`	`/* prevent wrapping quirkiness on some processors where << 64 + x == << x */`
`1455`	`1459`	`if (UNEXPECTED((zend_ulong)op2_lval >= SIZEOF_ZEND_LONG * 8)) {`
`1456`	`1460`	`if (EXPECTED(op2_lval > 0)) {`
`@@ -1463,9 +1467,6 @@ ZEND_API int shift_left_function(zval result, zval op1, zval op2) / {{{ */`
`1463`	`1467`	`}`
`1464`	`1468`	`}`
`1465`	`1469`
`1466`		`- if (op1 == result) {`
`1467`		`- zval_dtor(result);`
`1468`		`- }`
`1469`	`1470`	`ZVAL_LONG(result, op1_lval << op2_lval);`
`1470`	`1471`	`return SUCCESS;`
`1471`	`1472`	`}`
`@@ -1477,6 +1478,10 @@ ZEND_API int shift_right_function(zval result, zval op1, zval op2) / {{{ */`
`1477`	`1478`
`1478`	`1479`	`convert_op1_op2_long(op1, op1_lval, op2, op2_lval, ZEND_SR, shift_right_function);`
`1479`	`1480`
	`1481`	`+ if (op1 == result) {`
	`1482`	`+ zval_dtor(result);`
	`1483`	`+ }`
	`1484`	`+`
`1480`	`1485`	`/* prevent wrapping quirkiness on some processors where >> 64 + x == >> x */`
`1481`	`1486`	`if (UNEXPECTED((zend_ulong)op2_lval >= SIZEOF_ZEND_LONG * 8)) {`
`1482`	`1487`	`if (EXPECTED(op2_lval > 0)) {`
`@@ -1489,9 +1494,6 @@ ZEND_API int shift_right_function(zval result, zval op1, zval op2) / {{{ */`
`1489`	`1494`	`}`
`1490`	`1495`	`}`
`1491`	`1496`
`1492`		`- if (op1 == result) {`
`1493`		`- zval_dtor(result);`
`1494`		`- }`
`1495`	`1497`	`ZVAL_LONG(result, op1_lval >> op2_lval);`
`1496`	`1498`	`return SUCCESS;`
`1497`	`1499`	`}`