From: Marcus Boerger <helly@php.net>
Date: Thu, 13 Mar 2008 19:45:22 +0000 (+0000)
Subject: - Fix possible memory corruption
X-Git-Tag: RELEASE_2_0_0a1~141
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3264a2571777f26bd9456c62eb98488b1b01813e;p=php

- Fix possible memory corruption
---

diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
index f5732fcc90..32b6fd0974 100755
--- a/ext/spl/spl_directory.c
+++ b/ext/spl/spl_directory.c
@@ -1403,10 +1403,11 @@ zend_object_iterator *spl_filesystem_dir_get_iterator(zend_class_entry *ce, zval
 static void spl_filesystem_dir_it_dtor(zend_object_iterator *iter TSRMLS_DC)
 {
 	spl_filesystem_iterator *iterator = (spl_filesystem_iterator *)iter;
+	zval *zfree = (zval*)iterator->intern.data;
 
-	zval_ptr_dtor(&iterator->current);
-	zval_ptr_dtor((zval**)&iterator->intern.data);
 	iterator->intern.data = NULL; /* mark as unused */
+	zval_ptr_dtor(&iterator->current);
+	zval_ptr_dtor(&zfree);
 }
 /* }}} */
 
@@ -1469,12 +1470,15 @@ static void spl_filesystem_dir_it_rewind(zend_object_iterator *iter TSRMLS_DC)
 static void spl_filesystem_tree_it_dtor(zend_object_iterator *iter TSRMLS_DC)
 {
 	spl_filesystem_iterator *iterator = (spl_filesystem_iterator *)iter;
+	zval *zfree = (zval*)iterator->intern.data;
 
 	if (iterator->current) {
 		zval_ptr_dtor(&iterator->current);
 	}
-	zval_ptr_dtor((zval**)&iterator->intern.data);
 	iterator->intern.data = NULL; /* mark as unused */
+	/* free twice as we add ref twice */
+	zval_ptr_dtor(&zfree);
+	zval_ptr_dtor(&zfree);
 }
 /* }}} */
 
@@ -1586,7 +1590,7 @@ zend_object_iterator *spl_filesystem_tree_get_iterator(zend_class_entry *ce, zva
 	dir_object = (spl_filesystem_object*)zend_object_store_get_object(object TSRMLS_CC);
 	iterator   = spl_filesystem_object_to_iterator(dir_object);
 
-	Z_ADDREF_P(object);
+	Z_SET_REFCOUNT_P(object, Z_REFCOUNT_P(object) + 2);
 	iterator->intern.data = (void*)object;
 	iterator->intern.funcs = &spl_filesystem_tree_it_funcs;
 	iterator->current = NULL;
diff --git a/ext/spl/tests/dit_003.phpt b/ext/spl/tests/dit_003.phpt
new file mode 100755
index 0000000000..4232a7fbc4
--- /dev/null
+++ b/ext/spl/tests/dit_003.phpt
@@ -0,0 +1,17 @@
+--TEST--
+SPL: FilesystemIterator and foreach
+--SKIPIF--
+<?php if (!extension_loaded("spl")) print "skip"; ?>
+--FILE--
+<?php
+$count = 0;
+foreach(new FilesystemIterator('CVS') as $ent)
+{
+	++$count;
+}
+var_dump($count > 0);
+?>
+===DONE===
+--EXPECTF--
+bool(true)
+===DONE===