fix Bug #48541: spl_autoload_register only registers first closure, then leaks the...

diff --git a/NEWS b/NEWS
index def69b4301abea0966b6065f1b868392301d1b9b..003e934c6758a677b719d3d5fe4283e6307e55eb 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,8 +3,12 @@ PHP                                                                        NEWS
 ?? ??? 2009, PHP 5.3.0 RC 4
 - Added phar.phar generation for Windows. (Greg)
 
+- Fixed bug #48541 (spl_autoload_register only registers first closure, then
+  leaks the others). (Greg)
 - Fixed bug #48533 (__callStatic is not invoked for private/protected methods).
   (Felipe)
+- Fixed missing erealloc() in fix for Bug #40091 in spl_autoload_register.
+  (Greg)
 
 11 Jun 2009, PHP 5.3.0 RC 3
 - Upgraded bundled sqlite to version 3.6.14.2. (Scott, Ilia)

diff --git a/ext/spl/php_spl.c b/ext/spl/php_spl.c
index 2e34f46e640040c3d3307e8de192ba0ba4f2129f..bb6aa42f7ecf0cb21b88f1b90481e2b4e42fd33f 100755 (executable)
--- a/ext/spl/php_spl.c
+++ b/ext/spl/php_spl.c
@@ -497,10 +497,6 @@ PHP_FUNCTION(spl_autoload_register)
                alfi.ce = fcc.calling_scope;
                alfi.func_ptr = fcc.function_handler;
                obj_ptr = fcc.object_ptr;
-               if (Z_TYPE_P(zcallable) == IS_OBJECT) {
-                       alfi.closure = zcallable;
-                       Z_ADDREF_P(zcallable);
-               }
                if (error) {
                        efree(error);
                }
@@ -509,12 +505,27 @@ PHP_FUNCTION(spl_autoload_register)
                zend_str_tolower_copy(lc_name, func_name, func_name_len);
                efree(func_name);
 
+               if (Z_TYPE_P(zcallable) == IS_OBJECT) {
+                       alfi.closure = zcallable;
+                       Z_ADDREF_P(zcallable);
+
+                       lc_name = erealloc(lc_name, func_name_len + 2 + sizeof(zcallable->value.obj.handle));
+                       memcpy(lc_name + func_name_len, &(zcallable->value.obj.handle),
+                               sizeof(zcallable->value.obj.handle));
+                       func_name_len += sizeof(zcallable->value.obj.handle);
+                       lc_name[func_name_len] = '\0';
+               }
+
                if (SPL_G(autoload_functions) && zend_hash_exists(SPL_G(autoload_functions), (char*)lc_name, func_name_len+1)) {
+                       if (alfi.closure) {
+                               Z_DELREF_P(zcallable);
+                       }
                        goto skip;
                }
 
                if (obj_ptr && !(alfi.func_ptr->common.fn_flags & ZEND_ACC_STATIC)) {
                        /* add object id to the hash to ensure uniqueness, for more reference look at bug #40091 */
+                       lc_name = erealloc(lc_name, func_name_len + 2 + sizeof(zend_object_handle));
                        memcpy(lc_name + func_name_len, &Z_OBJ_HANDLE_P(obj_ptr), sizeof(zend_object_handle));
                        func_name_len += sizeof(zend_object_handle);
                        lc_name[func_name_len] = '\0';

diff --git a/ext/spl/tests/spl_autoload_bug48541.phpt b/ext/spl/tests/spl_autoload_bug48541.phpt
new file mode 100644 (file)
index 0000000..eef81bd
--- /dev/null
+++ b/ext/spl/tests/spl_autoload_bug48541.phpt
@@ -0,0 +1,24 @@
+--TEST--
+SPL: spl_autoload_register() Bug #48541: registering multiple closures fails with memleaks
+--FILE--
+<?php
+$a = function ($class) {
+    echo "a called\n";
+};
+$b = function ($class) {
+    eval('class ' . $class . '{function __construct(){echo "foo\n";}}');
+    echo "b called\n";
+};
+spl_autoload_register($a);
+spl_autoload_register($b);
+
+$c = $a;
+spl_autoload_register($c);
+$c = new foo;
+?>
+===DONE===
+--EXPECT--
+a called
+b called
+foo
+===DONE===
\ No newline at end of file