From: Dmitry Stogov Date: Mon, 19 Sep 2005 16:28:54 +0000 (+0000) Subject: Fixed access to memory that is already freed (in case of __call() method) X-Git-Tag: php-5.1.0RC2~226 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0ce74871107d833c708a6fa5e964d26c8a1d6472;p=php Fixed access to memory that is already freed (in case of __call() method) --- diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 86d50db5fe..ac48686da4 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -1830,6 +1830,8 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY) } } if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION) { + unsigned char return_reference = EX(function_state).function->common.return_reference; + ALLOC_ZVAL(EX_T(opline->result.u.var).var.ptr); INIT_ZVAL(*(EX_T(opline->result.u.var).var.ptr)); @@ -1865,7 +1867,7 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY) if (!return_value_used) { zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr); } else { - EX_T(opline->result.u.var).var.fcall_returned_reference = EX(function_state).function->common.return_reference; + EX_T(opline->result.u.var).var.fcall_returned_reference = return_reference; } } else if (EX(function_state).function->type == ZEND_USER_FUNCTION) { HashTable *calling_symbol_table; diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 32f91d6029..2ef1b4ec64 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -163,6 +163,8 @@ static int zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS) } } if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION) { + unsigned char return_reference = EX(function_state).function->common.return_reference; + ALLOC_ZVAL(EX_T(opline->result.u.var).var.ptr); INIT_ZVAL(*(EX_T(opline->result.u.var).var.ptr)); @@ -198,7 +200,7 @@ static int zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS) if (!return_value_used) { zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr); } else { - EX_T(opline->result.u.var).var.fcall_returned_reference = EX(function_state).function->common.return_reference; + EX_T(opline->result.u.var).var.fcall_returned_reference = return_reference; } } else if (EX(function_state).function->type == ZEND_USER_FUNCTION) { HashTable *calling_symbol_table;