Fixed bug #34617 (zend_deactivate: objects_store used after zend_objects_store_destroy is called)

author: Dmitry Stogov <dmitry@php.net> 2005-09-27 18:07:41 +0000
committer: Dmitry Stogov <dmitry@php.net> 2005-09-27 18:07:41 +0000
commit: 386a3b93050a5004f337bce4c8fe666a253c0658 (patch)
tree: d0d9c28a4530cbc9955bf2f1b6992c1dbee84974
parent: 4329db25a1226593e31fba9d9395a19bbefa522c (diff)
download: php-git-386a3b93050a5004f337bce4c8fe666a253c0658.tar.gz
3 files changed, 31 insertions, 3 deletions
diff --git a/NEWS b/NEWS
index d99c1e60e2..e916ebd30a 100644
--- a/NEWS
+++ b/NEWS
@@ -37,6 +37,8 @@ PHP                                                                        NEWS
   (Andrey)
 - Fixed bug #34645 (ctype corrupts memory when validating large numbers). (Ilia)
 - Fixed bug #34643 (wsdl default value has no effect). (Dmitry)
+- Fixed bug #34617 (zend_deactivate: objects_store used after
+  zend_objects_store_destroy is called). (Dmitry)
 - Fixed bug #34590 (User defined PDOStatement class can't implement methods).
   (Marcus)
 - Fixed bug #34584 (Segfault with SPL autoload handler). (Marcus)
diff --git a/Zend/tests/bug34617.phpt b/Zend/tests/bug34617.phpt
new file mode 100755
index 0000000000..23c43c4f9f
--- /dev/null
+++ b/Zend/tests/bug34617.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #34617 (zend_deactivate: objects_store used after zend_objects_store_destroy is called) 
+--SKIPIF--
+<?php if (!extension_loaded("xml")) print "skip"; ?>
+--FILE--
+<?php
+class Thing {}
+function boom()
+{
+    $reader = xml_parser_create();
+    xml_set_object($reader, new Thing());
+    die("ok\n");
+    xml_parser_free($reader);
+}
+boom();
+?>
+--EXPECT--
+ok
+\ No newline at end of file
diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c
index a13181c5cc..9dedba20b2 100644
--- a/Zend/zend_objects_API.c
+++ b/Zend/zend_objects_API.c
@@ -38,6 +38,7 @@ ZEND_API void zend_objects_store_init(zend_objects_store *objects, zend_uint ini
 ZEND_API void zend_objects_store_destroy(zend_objects_store *objects)
 {
 	efree(objects->object_buckets);
+	objects->object_buckets = NULL;
 }
 
 ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects TSRMLS_DC)
@@ -138,9 +139,16 @@ ZEND_API void zend_objects_store_add_ref(zval *object TSRMLS_DC)
 
 ZEND_API void zend_objects_store_del_ref(zval *zobject TSRMLS_DC)
 {
-	zend_object_handle handle = Z_OBJ_HANDLE_P(zobject);
-	struct _store_object *obj = &EG(objects_store).object_buckets[handle].bucket.obj;
-	
+	zend_object_handle handle;
+	struct _store_object *obj;
+
+	if (!EG(objects_store).object_buckets) {
+		return;
+	}
+
+	handle = Z_OBJ_HANDLE_P(zobject);
+	obj = &EG(objects_store).object_buckets[handle].bucket.obj;
+
 	/*	Make sure we hold a reference count during the destructor call
 		otherwise, when the destructor ends the storage might be freed
 		when the refcount reaches 0 a second time
author	Dmitry Stogov <dmitry@php.net>	2005-09-27 18:07:41 +0000
committer	Dmitry Stogov <dmitry@php.net>	2005-09-27 18:07:41 +0000
commit	386a3b93050a5004f337bce4c8fe666a253c0658 (patch)
tree	d0d9c28a4530cbc9955bf2f1b6992c1dbee84974
parent	4329db25a1226593e31fba9d9395a19bbefa522c (diff)
download	php-git-386a3b93050a5004f337bce4c8fe666a253c0658.tar.gz