Fixed access to memory that is already freed (in case of __call() method)

author Dmitry Stogov <dmitry@php.net>

Mon, 19 Sep 2005 16:28:54 +0000 (16:28 +0000)

committer Dmitry Stogov <dmitry@php.net>

Mon, 19 Sep 2005 16:28:54 +0000 (16:28 +0000)
author Dmitry Stogov <dmitry@php.net>
Mon, 19 Sep 2005 16:28:54 +0000 (16:28 +0000)
committer Dmitry Stogov <dmitry@php.net>
Mon, 19 Sep 2005 16:28:54 +0000 (16:28 +0000)
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h

index 86d50db5feff2b0e762e388ca970d6a769383755..ac48686da46882070f6cff4d968513fc9d0fb000 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1830,6 +1830,8 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY)
                 }
         }
         if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION) {
+               unsigned char return_reference = EX(function_state).function->common.return_reference;
+
                 ALLOC_ZVAL(EX_T(opline->result.u.var).var.ptr);
                 INIT_ZVAL(*(EX_T(opline->result.u.var).var.ptr));
  
@@ -1865,7 +1867,7 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY)
                 if (!return_value_used) {
                         zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
                 } else {
-                       EX_T(opline->result.u.var).var.fcall_returned_reference = EX(function_state).function->common.return_reference;
+                       EX_T(opline->result.u.var).var.fcall_returned_reference = return_reference;
                 }
         } else if (EX(function_state).function->type == ZEND_USER_FUNCTION) {
                 HashTable *calling_symbol_table;
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h

index 32f91d60299977eea61bf190939ca3de5064a70d..2ef1b4ec64fd5385d7e9498c946396d9d18efcc3 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -163,6 +163,8 @@ static int zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS)
                 }
         }
         if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION) {
+               unsigned char return_reference = EX(function_state).function->common.return_reference;
+
                 ALLOC_ZVAL(EX_T(opline->result.u.var).var.ptr);
                 INIT_ZVAL(*(EX_T(opline->result.u.var).var.ptr));
  
@@ -198,7 +200,7 @@ static int zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS)
                 if (!return_value_used) {
                         zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
                 } else {
-                       EX_T(opline->result.u.var).var.fcall_returned_reference = EX(function_state).function->common.return_reference;
+                       EX_T(opline->result.u.var).var.fcall_returned_reference = return_reference;
                 }
         } else if (EX(function_state).function->type == ZEND_USER_FUNCTION) {
                 HashTable *calling_symbol_table;
author	Dmitry Stogov <dmitry@php.net>
	Mon, 19 Sep 2005 16:28:54 +0000 (16:28 +0000)
committer	Dmitry Stogov <dmitry@php.net>
	Mon, 19 Sep 2005 16:28:54 +0000 (16:28 +0000)
Zend/zend_vm_def.h		patch \| blob \| history
Zend/zend_vm_execute.h		patch \| blob \| history