Fixed bug #42976 (Crash when constructor for newInstance() or

newInstanceArgs() fails)

diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
index 139e60b9d497b4ec9c16f814b66acf4381c82fed..9a7de3e37d964bb6d4d5411e55f276b1fef99ee9 100644 (file)
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@@ -3405,7 +3405,7 @@ ZEND_METHOD(reflection_class, isInstance)
    Returns an instance of this class */
 ZEND_METHOD(reflection_class, newInstance)
 {
-       zval *retval_ptr;
+       zval *retval_ptr = NULL;
        reflection_object *intern;
        zend_class_entry *ce;
        int argc = ZEND_NUM_ARGS();
@@ -3449,7 +3449,9 @@ ZEND_METHOD(reflection_class, newInstance)
 
                if (zend_call_function(&fci, &fcc TSRMLS_CC) == FAILURE) {
                        efree(params);
-                       zval_ptr_dtor(&retval_ptr);
+                       if (retval_ptr) {
+                               zval_ptr_dtor(&retval_ptr);
+                       }
                        zend_error(E_WARNING, "Invocation of %s's constructor failed", ce->name);
                        RETURN_NULL();
                }
@@ -3469,7 +3471,7 @@ ZEND_METHOD(reflection_class, newInstance)
    Returns an instance of this class */
 ZEND_METHOD(reflection_class, newInstanceArgs)
 {
-       zval *retval_ptr;
+       zval *retval_ptr = NULL;
        reflection_object *intern;
        zend_class_entry *ce;
        int argc = 0;
@@ -3524,7 +3526,9 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
                        if (params) {
                                efree(params);
                        }
-                       zval_ptr_dtor(&retval_ptr);
+                       if (retval_ptr) {
+                               zval_ptr_dtor(&retval_ptr);
+                       }
                        zend_error(E_WARNING, "Invocation of %s's constructor failed", ce->name);
                        RETURN_NULL();
                }

diff --git a/ext/reflection/tests/bug42976.phpt b/ext/reflection/tests/bug42976.phpt
new file mode 100644 (file)
index 0000000..38aed3a
--- /dev/null
+++ b/ext/reflection/tests/bug42976.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails)
+--FILE--
+<?php
+
+Class C {
+       function __construct(&$x) {
+               $x = "x.changed";
+       }
+}
+
+$x = "x.original";
+new C($x); // OK
+var_dump($x);
+
+$rc = new ReflectionClass('C');
+$x = "x.original";
+$rc->newInstance($x); // causes crash
+var_dump($x);
+$x = "x.original";
+$rc->newInstanceArgs(array($x)); // causes crash       
+var_dump($x);
+
+echo "Done\n";
+?>
+--EXPECTF--    
+string(9) "x.changed"
+
+Warning: Invocation of C's constructor failed in %s/bug42976.php on line %d
+string(10) "x.original"
+
+Warning: Invocation of C's constructor failed in %s/bug42976.php on line %d
+string(10) "x.original"
+Done