Fix a memory corruption bug with by-ref function arguments

diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index a2e0f0c0db33974d3b4b75548346828428808184..cd393bf379ba3ecc45028512cb53e1ba6438f56a 100644 (file)
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -786,16 +786,17 @@ void do_receive_arg(int op, znode *var, znode *offset, znode *initialization, un
        } else {
                SET_UNUSED(opline->op2);
        }
-       if (pass_type==BYREF_FORCE && !CG(active_op_array)->arg_types) {
-               int i;
+       if (!CG(active_op_array)->arg_types) {
+               if (pass_type==BYREF_FORCE) {
+                       int i;
 
-               CG(active_op_array)->arg_types = (unsigned char *) emalloc(sizeof(unsigned char)*(offset->u.constant.value.lval+1));
-               for (i=1; i<offset->u.constant.value.lval; i++) {
-                       CG(active_op_array)->arg_types[i] = BYREF_NONE;
+                       CG(active_op_array)->arg_types = (unsigned char *) emalloc(sizeof(unsigned char)*(offset->u.constant.value.lval+1));
+                       for (i=1; i<offset->u.constant.value.lval; i++) {
+                               CG(active_op_array)->arg_types[i] = BYREF_NONE;
+                       }
+                       CG(active_op_array)->arg_types[0]=(unsigned char) offset->u.constant.value.lval;
                }
-               CG(active_op_array)->arg_types[0]=(unsigned char) offset->u.constant.value.lval;
-       }
-       if (CG(active_op_array)->arg_types) {
+       } else {
                CG(active_op_array)->arg_types = (unsigned char *) erealloc(CG(active_op_array)->arg_types, sizeof(unsigned char)*(offset->u.constant.value.lval+1));
                CG(active_op_array)->arg_types[offset->u.constant.value.lval] = pass_type;
                CG(active_op_array)->arg_types[0]++;