Fix bug #70782

nikic · nikic · commit b9cc3176eb42 · 2015-10-24T23:19:02.000+02:00
diff --git a/NEWS b/NEWS
@@ -7,6 +7,8 @@ PHP                                                                        NEWS
     (Laruence)
   . Fixed bug #70689 (Exception handler does not work as expected). (Laruence)
   . Fixed bug #70430 (Stack buffer overflow in zend_language_parser()). (Nikita)
+  . Fixed bug #70782 (null ptr deref and segfault (zend_get_class_fetch_type)).
+    (Nikita)
 
 - Opcache:
   . Fixed bug #70724 (Undefined Symbols from opcache.so on Mac OS X 10.10).
diff --git a/Zend/tests/bug70782.phpt b/Zend/tests/bug70782.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #70782: null ptr deref and segfault (zend_get_class_fetch_type)
+--FILE--
+<?php
+
+(-0)::$prop;
+
+?>
+--EXPECTF--
+Fatal error: Illegal class name in %s on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
@@ -2126,8 +2126,15 @@ static zend_op *zend_compile_class_ref(znode *result, zend_ast *name_ast, int th
 	zend_compile_expr(&name_node, name_ast);
 
 	if (name_node.op_type == IS_CONST) {
-		zend_string *name = Z_STR(name_node.u.constant);
-		uint32_t fetch_type = zend_get_class_fetch_type(name);
+		zend_string *name;
+		uint32_t fetch_type;
+
+		if (Z_TYPE(name_node.u.constant) != IS_STRING) {
+			zend_error_noreturn(E_COMPILE_ERROR, "Illegal class name");
+		}
+
+		name = Z_STR(name_node.u.constant);
+		fetch_type = zend_get_class_fetch_type(name);
 
 		opline = zend_emit_op(result, ZEND_FETCH_CLASS, NULL, NULL);
 		opline->extended_value = fetch_type | (throw_exception ? ZEND_FETCH_CLASS_EXCEPTION : 0);
