Possible fix for bug #26281 & test case.

diff --git a/Zend/tests/bug26281.phpt b/Zend/tests/bug26281.phpt
new file mode 100755 (executable)
index 0000000..a3a735a
--- /dev/null
+++ b/Zend/tests/bug26281.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #26281 (switch() crash when condition is a string offset)
+--FILE--
+<?php
+       $x = 'abc';
+       switch ($x{0}) {
+               case 'a':
+                       echo "no crash\n";
+                       break;
+       }
+?>
+--EXPECT--
+no crash

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 51b27c07986baf274cf8966aadccc75575d8db3f..19e44bf23eb64e539b9ce25c785b9961ec2996da 100644 (file)
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -200,7 +200,9 @@ static inline void zend_switch_free(zend_op *opline, temp_variable *Ts TSRMLS_DC
                                 * quick & silent get_zval_ptr, and FREE_OP
                                 */
                                PZVAL_UNLOCK(T->EA.data.str_offset.str);
+#ifdef ilia_0 /* attempts to free already freed data */
                                zval_dtor(&T->tmp_var);
+#endif
                        } else {
                                zval_ptr_dtor(&T(opline->op1.u.var).var.ptr);
                                if (opline->extended_value) { /* foreach() free */