Fixed bug #69905 (null ptr deref and segfault in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER)

Author: dstogov

Zend/tests/bug69905.phpt

@@ -0,0 +1,11 @@
+--TEST--
+Bug #69905 (null ptr deref and segfault in ZEND_FETCH_DIM_RW_SPEC_VAR_UNUSED_HANDLER)
+--FILE--
+<?php
+md5(0)[]--;
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: [] operator not supported for strings in %sbug69905.php:2
+Stack trace:
+#0 {main}
+  thrown in %sbug69905.php on line 2

Zend/zend_execute.c

@@ -1682,11 +1682,11 @@ static zend_always_inline void zend_fetch_dimension_address(zval *result, zval *
 
 		if (dim == NULL) {
 			zend_error(E_EXCEPTION | E_ERROR, "[] operator not supported for strings");
+			ZVAL_NULL(result);
 		} else {
 			zend_check_string_offset(dim, type);
+			ZVAL_INDIRECT(result, NULL); /* wrong string offset */
 		}
-
-		ZVAL_INDIRECT(result, NULL); /* wrong string offset */
 	} else if (EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 		if (!Z_OBJ_HT_P(container)->read_dimension) {
 			zend_error(E_EXCEPTION | E_ERROR, "Cannot use object as array");