Fixed bug #27598 (list() array key assignment causes HUGE memory leak)

diff --git a/NEWS b/NEWS
index 438d3ee44b2fa4fca869b9fae48b8fc8a0be11e1..71f36210682cfd852d5c096f26e9b7b4fae0a000 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -143,6 +143,8 @@ PHP                                                                        NEWS
 - Fixed bug #28839 (SIGSEGV in interactive mode (php -a)).
   (kameshj at fastmail dot fm)
 - Fixed bug #28605 (Need to use -[m]ieee option for Alpha CPUs). (Jani)
+- Fixed bug #27598 (list() array key assignment causes HUGE memory leak).
+  (Dmitry)
 - Fixed bug #22836 (returning reference to uninitialized variable). (Dmitry)
 
 31 Mar 2005, PHP 5.0.4

diff --git a/Zend/tests/bug27598.phpt b/Zend/tests/bug27598.phpt
new file mode 100755 (executable)
index 0000000..534e8cf
--- /dev/null
+++ b/Zend/tests/bug27598.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #27598 (list() array key assignment causes HUGE memory leak)
+--FILE--
+<?php
+list($out[0]) = array(1);
+var_dump($out);
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  int(1)
+}

diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index b1805298f785053063092c1637bde0cdfe93171c..81f117bed4769c8948731132a6426c809da722fd 100644 (file)
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -3017,7 +3017,6 @@ void zend_do_list_end(znode *result, znode *expr TSRMLS_DC)
        zend_llist_element *dimension;
        zend_op *opline;
        znode last_container;
-       int opcode_index;
        int last_op_number;
        zend_op *last_op;
 
@@ -3059,14 +3058,10 @@ void zend_do_list_end(znode *result, znode *expr TSRMLS_DC)
                ((list_llist_element *) le->data)->value = last_container;
                zend_llist_destroy(&((list_llist_element *) le->data)->dimensions);
                zend_do_end_variable_parse(BP_VAR_W, 0 TSRMLS_CC);
-               opcode_index = - 1;
                last_op_number = get_next_op_number(CG(active_op_array))-1;
                last_op = &CG(active_op_array)->opcodes[last_op_number];
-               if (last_op->opcode == ZEND_FETCH_OBJ_W) {
-                       opcode_index = - 2;
-               }
                zend_do_assign(result, &((list_llist_element *) le->data)->var, &((list_llist_element *) le->data)->value TSRMLS_CC);
-               CG(active_op_array)->opcodes[CG(active_op_array)->last + opcode_index].result.u.EA.type |= EXT_TYPE_UNUSED;
+               zend_do_free(result TSRMLS_CC);
                le = le->next;
        }
        zend_llist_destroy(&CG(dimension_llist));

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index a0cf5356ad13c356106f94d28d2a2b34ecae8c19..084c7f9d2e0917d3c2d65e9b13f71755a47481a5 100644 (file)
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -2235,7 +2235,7 @@ int zend_assign_dim_handler(ZEND_OPCODE_HANDLER_ARGS)
                zend_fetch_dimension_address(&op_data->op2, &opline->op1, &opline->op2, EX(Ts), BP_VAR_W TSRMLS_CC);
 
                value = get_zval_ptr(&op_data->op1, EX(Ts), &EG(free_op1), BP_VAR_R);
-               zend_assign_to_variable(&opline->result, &op_data->op2, &op_data->op1, value, (EG(free_op1)?IS_TMP_VAR:opline->op1.op_type), EX(Ts) TSRMLS_CC);
+               zend_assign_to_variable(&opline->result, &op_data->op2, &op_data->op1, value, (EG(free_op1)?IS_TMP_VAR:op_data->op1.op_type), EX(Ts) TSRMLS_CC);
        }
        /* assign_dim has two opcodes! */
        INC_OPCODE();