- Core:
. Fixed bug #61225 (Incorect lexing of 0b00*+<NUM>). (Pierrick)
+ . Fixed bug #61165 (Segfault - strip_tags()). (Laruence)
- Standard:
. Fixed memory leak in substr_replace. (Pierrick)
--- /dev/null
+--TEST--
+Bug #61165 (Segfault - strip_tags())
+--FILE--
+<?php
+
+$handler = NULL;
+class T {
+ public $_this;
+
+ public function __toString() {
+ global $handler;
+ $handler = $this;
+ $this->_this = $this; // <-- uncoment this
+ return 'A';
+ }
+}
+
+$t = new T;
+for ($i = 0; $i < 3; $i++) {
+ strip_tags($t);
+ strip_tags(new T);
+}
+var_dump($handler);
+--EXPECTF--
+object(T)#%d (1) {
+ ["_this"]=>
+ *RECURSION*
+}
static int parse_arg_object_to_string(zval **arg, char **p, int *pl, int type TSRMLS_DC) /* {{{ */
{
if (Z_OBJ_HANDLER_PP(arg, cast_object)) {
- SEPARATE_ZVAL_IF_NOT_REF(arg);
- if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, type TSRMLS_CC) == SUCCESS) {
+ zval *obj;
+ MAKE_STD_ZVAL(obj);
+ if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, type TSRMLS_CC) == SUCCESS) {
+ zval_ptr_dtor(arg);
+ *arg = obj;
*pl = Z_STRLEN_PP(arg);
*p = Z_STRVAL_PP(arg);
return SUCCESS;
}
+ efree(obj);
}
/* Standard PHP objects */
if (Z_OBJ_HT_PP(arg) == &std_object_handlers || !Z_OBJ_HANDLER_PP(arg, cast_object)) {
projects / php / commitdiff