Fix Bug #26077 - memory leak when new() result is not assigned

and no constructor defined

diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 414d98e00f1a54fd7f187593d7551141ba53d45b..788ba0889053c637888c760e6ea59a99eba7e160 100644 (file)
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -918,6 +918,7 @@ void zend_do_free(znode *op1 TSRMLS_DC)
                                 * proceeding INIT_FCALL_BY_NAME as unused
                                 */
                                if (opline->opcode == ZEND_JMP_NO_CTOR) {
+                                       opline->op1.u.EA.type |= EXT_TYPE_UNUSED;
                                        (opline-1)->result.u.EA.type |= EXT_TYPE_UNUSED;
                                        (opline+1)->op1.u.EA.type |= EXT_TYPE_UNUSED;
                                        break;

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 62350865adf12b4899938da5cc7e3d51fd2ebeed..4853d18d7a5fd6121e04198a71a4b3c6b535dcc9 100644 (file)
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -3095,7 +3095,7 @@ int zend_new_handler(ZEND_OPCODE_HANDLER_ARGS)
        object_init_ex(EX_T(EX(opline)->result.u.var).var.ptr, EX_T(EX(opline)->op1.u.var).class_entry);
        EX_T(EX(opline)->result.u.var).var.ptr->refcount=1;
        EX_T(EX(opline)->result.u.var).var.ptr->is_ref=1;
-
+       
        NEXT_OPCODE();
 }
 
@@ -3731,6 +3731,9 @@ int zend_jmp_no_ctor_handler(ZEND_OPCODE_HANDLER_ARGS)
 
        EX(fbc_constructor) = NULL;
        if (constructor == NULL) {
+               if(EX(opline)->op1.u.EA.type & EXT_TYPE_UNUSED) {
+                       zval_ptr_dtor(EX_T(EX(opline)->op1.u.var).var.ptr_ptr);
+               }
                EX(opline) = op_array->opcodes + EX(opline)->op2.u.opline_num;
                return 0; /* CHECK_ME */
        } else {