MFH: - Fixed bug #43092 (curl_copy_handle() crashes with > 32 chars long URL)

diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index a460200c01a32723919f70de403c6f16429edf48..f4aa31baae637be0cdb56d8ef6786d5dba76b7fd 100644 (file)
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -1074,9 +1074,9 @@ static void alloc_curl_handle(php_curl **ch)
                
        memset(&(*ch)->err, 0, sizeof((*ch)->err));
        
-       zend_llist_init(&(*ch)->to_free.str,   sizeof(char *),            (void(*)(void *)) curl_free_string, 0);
-       zend_llist_init(&(*ch)->to_free.slist, sizeof(struct curl_slist), (void(*)(void *)) curl_free_slist,  0);
-       zend_llist_init(&(*ch)->to_free.post,  sizeof(struct HttpPost),   (void(*)(void *)) curl_free_post,   0);
+       zend_llist_init(&(*ch)->to_free.str,   sizeof(char *),            (llist_dtor_func_t) curl_free_string, 0);
+       zend_llist_init(&(*ch)->to_free.slist, sizeof(struct curl_slist), (llist_dtor_func_t) curl_free_slist,  0);
+       zend_llist_init(&(*ch)->to_free.post,  sizeof(struct HttpPost),   (llist_dtor_func_t) curl_free_post,   0);
 }
 /* }}} */
 
@@ -1204,6 +1204,8 @@ PHP_FUNCTION(curl_copy_handle)
        curl_easy_setopt(dupch->cp, CURLOPT_WRITEHEADER,       (void *) dupch);
 
        zend_llist_copy(&dupch->to_free.str, &ch->to_free.str);
+       /* Don't try to free copied strings, they're free'd when the original handle is destroyed */
+       dupch->to_free.str.dtor = NULL;
        zend_llist_copy(&dupch->to_free.slist, &ch->to_free.slist);
        zend_llist_copy(&dupch->to_free.post, &ch->to_free.post);