MFB: Fixed bug #42976 (Crash when constructor for newInstance() or

newInstanceArgs() fails)

diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
index 0ce79a14d3de6f9ae6c5bcd14174e41732b201be..37ca021614f8710f77b79556fb2887257ad3ec56 100644 (file)
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@@ -3484,7 +3484,7 @@ ZEND_METHOD(reflection_class, isInstance)
    Returns an instance of this class */
 ZEND_METHOD(reflection_class, newInstance)
 {
-       zval *retval_ptr;
+       zval *retval_ptr = NULL;
        reflection_object *intern;
        zend_class_entry *ce;
        int argc = ZEND_NUM_ARGS();
@@ -3528,7 +3528,9 @@ ZEND_METHOD(reflection_class, newInstance)
 
                if (zend_call_function(&fci, &fcc TSRMLS_CC) == FAILURE) {
                        efree(params);
-                       zval_ptr_dtor(&retval_ptr);
+                       if (retval_ptr) {
+                               zval_ptr_dtor(&retval_ptr);
+                       }
                        zend_error(E_WARNING, "Invocation of %v's constructor failed", ce->name);
                        RETURN_NULL();
                }
@@ -3548,7 +3550,7 @@ ZEND_METHOD(reflection_class, newInstance)
    Returns an instance of this class */
 ZEND_METHOD(reflection_class, newInstanceArgs)
 {
-       zval *retval_ptr;
+       zval *retval_ptr = NULL;
        reflection_object *intern;
        zend_class_entry *ce;
        int argc = 0;
@@ -3603,7 +3605,9 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
                        if (params) {
                                efree(params);
                        }
-                       zval_ptr_dtor(&retval_ptr);
+                       if (retval_ptr) {
+                               zval_ptr_dtor(&retval_ptr);
+                       }
                        zend_error(E_WARNING, "Invocation of %v's constructor failed", ce->name);
                        RETURN_NULL();
                }

diff --git a/ext/reflection/tests/bug42976.phpt b/ext/reflection/tests/bug42976.phpt
new file mode 100644 (file)
index 0000000..38aed3a
--- /dev/null
+++ b/ext/reflection/tests/bug42976.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails)
+--FILE--
+<?php
+
+Class C {
+       function __construct(&$x) {
+               $x = "x.changed";
+       }
+}
+
+$x = "x.original";
+new C($x); // OK
+var_dump($x);
+
+$rc = new ReflectionClass('C');
+$x = "x.original";
+$rc->newInstance($x); // causes crash
+var_dump($x);
+$x = "x.original";
+$rc->newInstanceArgs(array($x)); // causes crash       
+var_dump($x);
+
+echo "Done\n";
+?>
+--EXPECTF--    
+string(9) "x.changed"
+
+Warning: Invocation of C's constructor failed in %s/bug42976.php on line %d
+string(10) "x.original"
+
+Warning: Invocation of C's constructor failed in %s/bug42976.php on line %d
+string(10) "x.original"
+Done