Fixed bug #71163 (Segmentation Fault: cleanup_unfinished_calls)

diff --git a/NEWS b/NEWS
index 699a54efe2407c543754697e18fc4d91f1795014..70e11367aa6814c12a750e899a90fbae4e1cef03 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? Jan 2016 PHP 7.0.2
 
 - Core:
+  . Fixed bug #71163 (Segmentation Fault: cleanup_unfinished_calls). (Laruence)
   . Fixed bug #71109 (ZEND_MOD_CONFLICTS("xdebug") doesn't work). (Laruence)
   . Fixed bug #71105 (Format String Vulnerability in Class Name Error Message).
     (andrew at jmpesp dot org)

diff --git a/Zend/tests/bug71163.phpt b/Zend/tests/bug71163.phpt
new file mode 100644 (file)
index 0000000..102b1b9
--- /dev/null
+++ b/Zend/tests/bug71163.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug #71163 (Segmentation Fault (cleanup_unfinished_calls))
+--FILE--
+<?php
+function __autoload($name) { 
+       eval ("class $name extends Exception { public static function foo() {}}");
+       throw new Exception("boom");
+}
+
+function test2() {
+       try {
+               Test::foo();
+       } catch (Exception $e) {
+               echo "okey";
+       }
+}
+
+function test() {
+       test2();
+}
+
+test();
+?>
+--EXPECT--
+okey

diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index fdffed34b275775084eeaf943a12c992edac2e0c..802b7c8ca345eae31a481b953d1efd0ca558fecf 100644 (file)
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -937,7 +937,6 @@ ZEND_API zend_class_entry *zend_lookup_class_ex(zend_string *name, const zval *k
        zend_class_entry *ce = NULL;
        zval args[1];
        zval local_retval;
-       int retval;
        zend_string *lc_name;
        zend_fcall_info fcall_info;
        zend_fcall_info_cache fcall_cache;
@@ -1033,7 +1032,9 @@ ZEND_API zend_class_entry *zend_lookup_class_ex(zend_string *name, const zval *k
        fcall_cache.object = NULL;
 
        zend_exception_save();
-       retval = zend_call_function(&fcall_info, &fcall_cache);
+       if ((zend_call_function(&fcall_info, &fcall_cache) == SUCCESS) && !EG(exception)) {
+               ce = zend_hash_find_ptr(EG(class_table), lc_name);
+       }
        zend_exception_restore();
 
        zval_ptr_dtor(&args[0]);
@@ -1043,9 +1044,6 @@ ZEND_API zend_class_entry *zend_lookup_class_ex(zend_string *name, const zval *k
 
        zval_ptr_dtor(&local_retval);
 
-       if (retval == SUCCESS) {
-               ce = zend_hash_find_ptr(EG(class_table), lc_name);
-       }
        if (!key) {
                zend_string_release(lc_name);
        }