diff options
| author | Xinchen Hui <laruence@php.net> | 2015-04-20 11:48:21 +0800 |
|---|---|---|
| committer | Xinchen Hui <laruence@php.net> | 2015-04-20 11:48:21 +0800 |
| commit | d66045fe73fb646f15a45286313231908e656a37 (patch) | |
| tree | d0bec3a03ea3deafdde11d6c6a5f003f684aaf33 | |
| parent | a819404e9e4a96ee80975e05de053a6e210f6c41 (diff) | |
| download | php-git-d66045fe73fb646f15a45286313231908e656a37.tar.gz | |
Fixed bug #69485 (Double free on zend_list_dtor).
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | Zend/zend_list.c | 14 | ||||
| -rw-r--r-- | ext/curl/interface.c | 2 | ||||
| -rw-r--r-- | ext/curl/tests/bug69485.phpt | 22 |
4 files changed, 32 insertions, 7 deletions
@@ -8,6 +8,7 @@ . Update the MIME type list from the one shipped by Apache HTTPD. (Adam) - Core: + . Fixed bug #69485 (Double free on zend_list_dtor). (Laruence) . Fixed bug #69427 (Segfault on magic method __call of private method in superclass). (Laruence) . Improved __call() and __callStatic() magic method handling. Now they are diff --git a/Zend/zend_list.c b/Zend/zend_list.c index 2c653782ee..261489b4a1 100644 --- a/Zend/zend_list.c +++ b/Zend/zend_list.c @@ -65,17 +65,19 @@ ZEND_API int zend_list_free(zend_resource *res) static void zend_resource_dtor(zend_resource *res) { zend_rsrc_list_dtors_entry *ld; + zend_resource r = *res; - ld = zend_hash_index_find_ptr(&list_destructors, res->type); + res->type = -1; + res->ptr = NULL; + + ld = zend_hash_index_find_ptr(&list_destructors, r.type); if (ld) { if (ld->list_dtor_ex) { - ld->list_dtor_ex(res); + ld->list_dtor_ex(&r); } } else { - zend_error(E_WARNING,"Unknown list entry type (%d)", res->type); + zend_error(E_WARNING, "Unknown list entry type (%d)", r.type); } - res->ptr = NULL; - res->type = -1; } @@ -178,8 +180,8 @@ void list_entry_destructor(zval *zv) { zend_resource *res = Z_RES_P(zv); + ZVAL_UNDEF(zv); if (res->type >= 0) { - zend_resource_dtor(res); } efree_size(res, sizeof(zend_resource)); diff --git a/ext/curl/interface.c b/ext/curl/interface.c index bf8d2f00eb..e18d084881 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -283,7 +283,7 @@ void _php_curl_verify_handlers(php_curl *ch, int reporterror) /* {{{ */ curl_easy_setopt(ch->cp, CURLOPT_FILE, (void *) ch); } } - return ; + return; } /* }}} */ diff --git a/ext/curl/tests/bug69485.phpt b/ext/curl/tests/bug69485.phpt new file mode 100644 index 0000000000..7a62589e5e --- /dev/null +++ b/ext/curl/tests/bug69485.phpt @@ -0,0 +1,22 @@ +--TEST-- +Bug #69485 (Double free on zend_list_dtor) +--SKIPIF-- +<?php include 'skipif.inc'; ?> +--FILE-- +<?php + +class O { + public $ch; + public function dummy() { + } +} + +$ch = curl_init(); + +$o = new O; +$o->ch = $ch; +curl_setopt($ch, CURLOPT_WRITEFUNCTION, array($o, "dummy")); +?> +==DONE== +--EXPECT-- +==DONE== |