]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cbf589b)
Fixed bug #78658
authorNikita Popov <nikita.ppv@gmail.com>
Wed, 9 Oct 2019 14:59:38 +0000 (16:59 +0200)
committerNikita Popov <nikita.ppv@gmail.com>
Wed, 9 Oct 2019 15:00:27 +0000 (17:00 +0200)
NEWS patch | blob | history
Zend/tests/bug78658.phpt [new file with mode: 0644] patch | blob
Zend/zend_closures.c patch | blob | history

diff --git a/NEWS b/NEWS
index b7d193ab58164d4ad3c9b9cdfa9376e671e5e2ab..e96d88f4c1c11b8686313bec3bf2edfc01d64aaf 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.3.12
 
+- Core:
+  . Fixed bug #78658 (Memory corruption using Closure::bindTo). (Nikita)
+
 - Iconv:
   . Fixed bug #78642 (Wrong libiconv version displayed). (gedas at martynas,
     cmb).
diff --git a/Zend/tests/bug78658.phpt b/Zend/tests/bug78658.phpt
new file mode 100644 (file)
index 0000000..3445b98
--- /dev/null
+++ b/Zend/tests/bug78658.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #78658: Memory corruption using Closure::bindTo()
+--FILE--
+<?php
+
+$c = function(){};
+
+$scope = "AAAA";
+$scope = "{$scope}BBBB";
+$c->bindTo(new stdClass, $scope);
+
+?>
+--EXPECTF--
+Warning: Class 'AAAABBBB' not found in %s on line %d
diff --git a/Zend/zend_closures.c b/Zend/zend_closures.c
index ac6382626249a4c35339887457d6a167d6434885..fce69f12ff9bb477b848d765c55ffcf302774e6e 100644 (file)
--- a/Zend/zend_closures.c
+++ b/Zend/zend_closures.c
@@ -200,7 +200,7 @@ ZEND_METHOD(Closure, bind)
                                ce = closure->func.common.scope;
                        } else if ((ce = zend_lookup_class_ex(class_name, NULL, 1)) == NULL) {
                                zend_error(E_WARNING, "Class '%s' not found", ZSTR_VAL(class_name));
-                               zend_string_release_ex(class_name, 0);
+                               zend_tmp_string_release(tmp_class_name);
                                RETURN_NULL();
                        }
                        zend_tmp_string_release(tmp_class_name);
Unnamed repository; edit this file 'description' to name the repository.