diff options
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | Zend/tests/bug72854.phpt | 18 | ||||
| -rw-r--r-- | Zend/zend_execute.c | 4 |
3 files changed, 22 insertions, 1 deletions
@@ -6,6 +6,7 @@ PHP NEWS . Fixed bug #72813 (Segfault with __get returned by ref). (Laruence) . Fixed bug #72767 (PHP Segfaults when trying to expand an infinite operator). (Nikita) + . Fixed bug #72854 (PHP Crashes on duplicate destructor call). (Nikita) - FTP: . Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with diff --git a/Zend/tests/bug72854.phpt b/Zend/tests/bug72854.phpt new file mode 100644 index 0000000000..74139c7ebc --- /dev/null +++ b/Zend/tests/bug72854.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #72854: PHP Crashes on duplicate destructor call +--FILE-- +<?php + +function get() { + $t = new stdClass; + $t->prop = $t; + return $t; +} + +$i = 42; +get()->prop =& $i; + +?> +===DONE=== +--EXPECT-- +===DONE=== diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index 1012b3cc4f..a2ef9c3f4d 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -576,6 +576,7 @@ static inline zval *_get_obj_zval_ptr_ptr(int op_type, znode_op node, zend_execu static inline void zend_assign_to_variable_reference(zval *variable_ptr, zval *value_ptr) { zend_reference *ref; + zval garbage; if (EXPECTED(!Z_ISREF_P(value_ptr))) { ZVAL_NEW_REF(value_ptr, value_ptr); @@ -585,8 +586,9 @@ static inline void zend_assign_to_variable_reference(zval *variable_ptr, zval *v ref = Z_REF_P(value_ptr); GC_REFCOUNT(ref)++; - zval_ptr_dtor(variable_ptr); + ZVAL_COPY_VALUE(&garbage, variable_ptr); ZVAL_REF(variable_ptr, ref); + zval_ptr_dtor(&garbage); } /* this should modify object only if it's empty */ |