From 7acaa4020d0eeb2911e70148ac57787f085e03e0 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sat, 8 Feb 2020 10:58:15 +0100
Subject: Fix #79247: Garbage collecting variant objects segfaults

variant objects have no (declared) properties, so the `get_properties`
handlers returns a pointer to constant storage for efficiency reasons.
This pointer must not be returned from the `get_gc` handler, though;
instead we set up an own `get_gc` handler and return NULL from it, to
signal that there are no properties to collect.
---
 NEWS                          |  6 ++++++
 ext/com_dotnet/bug79247.phpt  | 13 +++++++++++++
 ext/com_dotnet/com_handlers.c |  9 ++++++++-
 3 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 ext/com_dotnet/bug79247.phpt

diff --git a/NEWS b/NEWS
index 00e1e840f1..554b5aefd5 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,11 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+?? Feb 2020, PHP 7.4.3
+
+- COM:
+  . Fixed bug #79247 (Garbage collecting variant objects segfaults). (cmb)
+
+
 06 Feb 2020, PHP 7.4.3RC1
 
 - Core:
diff --git a/ext/com_dotnet/bug79247.phpt b/ext/com_dotnet/bug79247.phpt
new file mode 100644
index 0000000000..55e24b1796
--- /dev/null
+++ b/ext/com_dotnet/bug79247.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #79247 (Garbage collecting variant objects segfaults)
+--SKIPIF--
+<?php
+if (!extension_loaded('com_dotnet')) die('skip com_dotnet extension not available');
+?>
+--FILE--
+<?php
+$keep = new variant(null);
+var_dump(gc_collect_cycles());
+?>
+--EXPECT--
+int(0)
diff --git a/ext/com_dotnet/com_handlers.c b/ext/com_dotnet/com_handlers.c
index fe39e2f9e0..d42e7453f8 100644
--- a/ext/com_dotnet/com_handlers.c
+++ b/ext/com_dotnet/com_handlers.c
@@ -243,6 +243,13 @@ static HashTable *com_properties_get(zval *object)
 	return &zend_empty_array;
 }
 
+static HashTable *com_get_gc(zval *object, zval **table, int *n)
+{
+	*table = NULL;
+	*n = 0;
+	return NULL;
+}
+
 static void function_dtor(zval *zv)
 {
 	zend_internal_function *f = (zend_internal_function*)Z_PTR_P(zv);
@@ -573,7 +580,7 @@ zend_object_handlers php_com_object_handlers = {
 	com_object_count,
 	NULL,									/* get_debug_info */
 	NULL,									/* get_closure */
-	zend_std_get_gc,						/* get_gc */
+	com_get_gc,								/* get_gc */
 };
 
 void php_com_object_enable_event_sink(php_com_dotnet_object *obj, int enable)
-- 
cgit v1.2.1