fix bug #47353 (crash when creating a lot of objects in object destructor)

diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c
index 90e4af5ded288d762fa142aa9dfe99728bd3a705..e439449b7eb367999ca68d23f3263ef32ac5f747 100644 (file)
--- a/Zend/zend_objects_API.c
+++ b/Zend/zend_objects_API.c
@@ -57,6 +57,7 @@ ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects TS
                                if (obj->dtor && obj->object) {
                                        obj->refcount++;
                                        obj->dtor(obj->object, i TSRMLS_CC);
+                                       obj = &objects->object_buckets[i].bucket.obj;
                                        obj->refcount--;
                                }
                        }
@@ -225,6 +226,10 @@ ZEND_API void zend_objects_store_del_ref_by_handle_ex(zend_object_handle handle,
                                        } zend_end_try();
                                }
                        }
+
+                       /* re-read the object from the object store as the store might have been reallocated in the dtor */
+                       obj = &EG(objects_store).object_buckets[handle].bucket.obj;
+
                        if (obj->refcount == 1) {
                                GC_REMOVE_ZOBJ_FROM_BUFFER(obj);
                                if (obj->free_storage) {
@@ -268,6 +273,7 @@ ZEND_API zend_object_value zend_objects_store_clone_obj(zval *zobject TSRMLS_DC)
        }
 
        obj->clone(obj->object, &new_object TSRMLS_CC);
+       obj = &EG(objects_store).object_buckets[handle].bucket.obj;
 
        retval.handle = zend_objects_store_put(new_object, obj->dtor, obj->free_storage, obj->clone TSRMLS_CC);
        retval.handlers = Z_OBJ_HT_P(zobject);