Fixed a potential segfault in zend_objects_store_free_object_storage()

Under the special circumstance where a garbage collected objects bucket slot was not reused until the end of the script, we get access into freed memory... No test added as it usually is valgrind-only, and only sometimes when the memory happens to have changed (i.e. (GC_FLAGS(obj) & IS_OBJ_FREE_CALLED) == 0), it actually *may* segfault
author: Bob Weinand <bobwei9@hotmail.com> 2016-07-27 18:08:43 +0200
committer: Bob Weinand <bobwei9@hotmail.com> 2016-07-27 18:08:43 +0200
commit: 5513f00a972d1781349035cc097971fb9056cce1 (patch)
tree: e11bfed3f36cf1c777d4d5820809eb05a5fd54a3 /Zend
parent: 23c359c27614a8b30afd860f2543912d1b297d08 (diff)
download: php-git-5513f00a972d1781349035cc097971fb9056cce1.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/Zend/zend_gc.c b/Zend/zend_gc.c
index 821ac4d9dc..95be5d80c0 100644
--- a/Zend/zend_gc.c
+++ b/Zend/zend_gc.c
@@ -1097,6 +1097,7 @@ ZEND_API int zend_gc_collect_cycles(void)
 
 				if (EG(objects_store).object_buckets &&
 				    IS_OBJ_VALID(EG(objects_store).object_buckets[obj->handle])) {
+					EG(objects_store).object_buckets[obj->handle] = SET_OBJ_INVALID(obj);
 					GC_TYPE(obj) = IS_NULL;
 					if (!(GC_FLAGS(obj) & IS_OBJ_FREE_CALLED)) {
 						GC_FLAGS(obj) |= IS_OBJ_FREE_CALLED;
author	Bob Weinand <bobwei9@hotmail.com>	2016-07-27 18:08:43 +0200
committer	Bob Weinand <bobwei9@hotmail.com>	2016-07-27 18:08:43 +0200
commit	5513f00a972d1781349035cc097971fb9056cce1 (patch)
tree	e11bfed3f36cf1c777d4d5820809eb05a5fd54a3 /Zend
parent	23c359c27614a8b30afd860f2543912d1b297d08 (diff)
download	php-git-5513f00a972d1781349035cc097971fb9056cce1.tar.gz