- Fixed bug #43092 (curl_copy_handle() crashes with > 32 chars long URL)

diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index 57467ffc19e178125c559eb992ac80f00d29d4d9..d1f15ba6f1f05676be9a73d993fb71320d4de8be 100644 (file)
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -1076,9 +1076,9 @@ static void alloc_curl_handle(php_curl **ch)
                
        memset(&(*ch)->err, 0, sizeof((*ch)->err));
        
-       zend_llist_init(&(*ch)->to_free.str,   sizeof(char *),            (void(*)(void *)) curl_free_string, 0);
-       zend_llist_init(&(*ch)->to_free.slist, sizeof(struct curl_slist), (void(*)(void *)) curl_free_slist,  0);
-       zend_llist_init(&(*ch)->to_free.post,  sizeof(struct HttpPost),   (void(*)(void *)) curl_free_post,   0);
+       zend_llist_init(&(*ch)->to_free.str,   sizeof(char *),            (llist_dtor_func_t) curl_free_string, 0);
+       zend_llist_init(&(*ch)->to_free.slist, sizeof(struct curl_slist), (llist_dtor_func_t) curl_free_slist,  0);
+       zend_llist_init(&(*ch)->to_free.post,  sizeof(struct HttpPost),   (llist_dtor_func_t) curl_free_post,   0);
 }
 /* }}} */
 
@@ -1210,6 +1210,8 @@ PHP_FUNCTION(curl_copy_handle)
        curl_easy_setopt(dupch->cp, CURLOPT_WRITEHEADER,       (void *) dupch);
 
        zend_llist_copy(&dupch->to_free.str, &ch->to_free.str);
+       /* Don't try to free copied strings, they're free'd when the original handle is destroyed */
+       dupch->to_free.str.dtor = NULL;
        zend_llist_copy(&dupch->to_free.slist, &ch->to_free.slist);
        zend_llist_copy(&dupch->to_free.post, &ch->to_free.post);