Fixed bug #54305 (Crash in gc_remove_zval_from_buffer)

diff --git a/Zend/tests/bug54305.phpt b/Zend/tests/bug54305.phpt
new file mode 100644 (file)
index 0000000..8e85d2b
--- /dev/null
+++ b/Zend/tests/bug54305.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #54305 (Crash in gc_remove_zval_from_buffer)
+--FILE--
+<?php
+class TestClass {
+    public function methodWithArgs($a, $b) {
+    }
+}
+abstract class AbstractClass {
+}
+$methodWithArgs = new ReflectionMethod('TestClass', 'methodWithArgs');
+echo $methodWithArgs++;
+?>
+--EXPECTF--
+Method [ <user> public method methodWithArgs ] {
+  @@ %sbug54305.php %d - %d
+
+  - Parameters [2] {
+    Parameter #0 [ <required> $a ]
+    Parameter #1 [ <required> $b ]
+  }
+}

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index aad9585a8ff6ad86e1b5c0755d063d46257f41a2..cdc6456282b78f5f20150b80d56d9ebff4149f0a 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -982,10 +982,16 @@ ZEND_VM_HANDLER(40, ZEND_ECHO, CONST|TMP|VAR|CV, ANY)
 
        if (OP1_TYPE != IS_CONST &&
            UNEXPECTED(Z_TYPE_P(z) == IS_OBJECT) &&
-           Z_OBJ_HT_P(z)->get_method != NULL &&
-               zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
-               zend_print_variable(&z_copy);
-               zval_dtor(&z_copy);
+           Z_OBJ_HT_P(z)->get_method != NULL) {
+           if (OP1_TYPE == IS_TMP_VAR) {
+               INIT_PZVAL(z);
+           }
+               if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+                       zend_print_variable(&z_copy);
+                       zval_dtor(&z_copy);
+               } else {
+                       zend_print_variable(z);
+               }
        } else {
                zend_print_variable(z);
        }

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 99a939644b65c88b99d661687c1e6d4d8e9350b2..039d199d47416dd73bd6792e8442d24dfe09d246 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -2012,10 +2012,16 @@ static int ZEND_FASTCALL  ZEND_ECHO_SPEC_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 
        if (IS_CONST != IS_CONST &&
            UNEXPECTED(Z_TYPE_P(z) == IS_OBJECT) &&
-           Z_OBJ_HT_P(z)->get_method != NULL &&
-               zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
-               zend_print_variable(&z_copy);
-               zval_dtor(&z_copy);
+           Z_OBJ_HT_P(z)->get_method != NULL) {
+           if (IS_CONST == IS_TMP_VAR) {
+               INIT_PZVAL(z);
+           }
+               if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+                       zend_print_variable(&z_copy);
+                       zval_dtor(&z_copy);
+               } else {
+                       zend_print_variable(z);
+               }
        } else {
                zend_print_variable(z);
        }
@@ -6278,10 +6284,16 @@ static int ZEND_FASTCALL  ZEND_ECHO_SPEC_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 
        if (IS_TMP_VAR != IS_CONST &&
            UNEXPECTED(Z_TYPE_P(z) == IS_OBJECT) &&
-           Z_OBJ_HT_P(z)->get_method != NULL &&
-               zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
-               zend_print_variable(&z_copy);
-               zval_dtor(&z_copy);
+           Z_OBJ_HT_P(z)->get_method != NULL) {
+           if (IS_TMP_VAR == IS_TMP_VAR) {
+               INIT_PZVAL(z);
+           }
+               if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+                       zend_print_variable(&z_copy);
+                       zval_dtor(&z_copy);
+               } else {
+                       zend_print_variable(z);
+               }
        } else {
                zend_print_variable(z);
        }
@@ -10455,10 +10467,16 @@ static int ZEND_FASTCALL  ZEND_ECHO_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 
        if (IS_VAR != IS_CONST &&
            UNEXPECTED(Z_TYPE_P(z) == IS_OBJECT) &&
-           Z_OBJ_HT_P(z)->get_method != NULL &&
-               zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
-               zend_print_variable(&z_copy);
-               zval_dtor(&z_copy);
+           Z_OBJ_HT_P(z)->get_method != NULL) {
+           if (IS_VAR == IS_TMP_VAR) {
+               INIT_PZVAL(z);
+           }
+               if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+                       zend_print_variable(&z_copy);
+                       zval_dtor(&z_copy);
+               } else {
+                       zend_print_variable(z);
+               }
        } else {
                zend_print_variable(z);
        }
@@ -26192,10 +26210,16 @@ static int ZEND_FASTCALL  ZEND_ECHO_SPEC_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 
        if (IS_CV != IS_CONST &&
            UNEXPECTED(Z_TYPE_P(z) == IS_OBJECT) &&
-           Z_OBJ_HT_P(z)->get_method != NULL &&
-               zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
-               zend_print_variable(&z_copy);
-               zval_dtor(&z_copy);
+           Z_OBJ_HT_P(z)->get_method != NULL) {
+           if (IS_CV == IS_TMP_VAR) {
+               INIT_PZVAL(z);
+           }
+               if (zend_std_cast_object_tostring(z, &z_copy, IS_STRING TSRMLS_CC) == SUCCESS) {
+                       zend_print_variable(&z_copy);
+                       zval_dtor(&z_copy);
+               } else {
+                       zend_print_variable(z);
+               }
        } else {
                zend_print_variable(z);
        }