From: Dmitry Stogov <dmitry@php.net>
Date: Tue, 15 Jun 2010 08:22:51 +0000 (+0000)
Subject: Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from... 
X-Git-Tag: php-5.3.3RC1~25
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3d5f7291819bbef5442f83b82202ebd0e67162b9;p=php

Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function)
---

diff --git a/Zend/tests/bug52041.phpt b/Zend/tests/bug52041.phpt
new file mode 100644
index 0000000000..b481b894da
--- /dev/null
+++ b/Zend/tests/bug52041.phpt
@@ -0,0 +1,50 @@
+--TEST--
+Bug #52041 (Memory leak when writing on uninitialized variable returned from function)
+--FILE--
+<?php
+function foo() {
+	return $x;
+}
+
+foo()->a = 1;
+foo()->a->b = 2;
+foo()->a++;
+foo()->a->b++;
+foo()->a += 2;
+foo()->a->b += 2;
+
+//foo()[0] = 1;
+//foo()[0][0] = 2;
+//foo()[0]++;
+//foo()[0][0]++;
+//foo()[0] += 2;
+//foo()[0][0] += 2;
+var_dump(foo());
+?>
+--EXPECTF--
+Notice: Undefined variable: x in %sbug52041.php on line 3
+
+Strict Standards: Creating default object from empty value in %sbug52041.php on line 6
+
+Notice: Undefined variable: x in %sbug52041.php on line 3
+
+Strict Standards: Creating default object from empty value in %sbug52041.php on line 7
+
+Notice: Undefined variable: x in %sbug52041.php on line 3
+
+Strict Standards: Creating default object from empty value in %sbug52041.php on line 8
+
+Notice: Undefined variable: x in %sbug52041.php on line 3
+
+Strict Standards: Creating default object from empty value in %sbug52041.php on line 9
+
+Notice: Undefined variable: x in %sbug52041.php on line 3
+
+Strict Standards: Creating default object from empty value in %sbug52041.php on line 10
+
+Notice: Undefined variable: x in %sbug52041.php on line 3
+
+Strict Standards: Creating default object from empty value in %sbug52041.php on line 11
+
+Notice: Undefined variable: x in %sbug52041.php on line 3
+NULL
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index e953d405f0..cd26f5e8e6 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -2493,6 +2493,12 @@ ZEND_VM_C_LABEL(return_by_value):
 				INIT_PZVAL_COPY(ret, retval_ptr);
 				zval_copy_ctor(ret);
 				*EG(return_value_ptr_ptr) = ret;
+			} else if ((OP1_TYPE == IS_CV || OP1_TYPE == IS_VAR) &&
+			           retval_ptr == &EG(uninitialized_zval)) {
+				zval *ret;
+
+				ALLOC_INIT_ZVAL(ret);
+				*EG(return_value_ptr_ptr) = ret;
 			} else {
 				*EG(return_value_ptr_ptr) = retval_ptr;
 				Z_ADDREF_P(retval_ptr);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index e1e1b976b1..45f5c62c2a 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -1664,6 +1664,12 @@ return_by_value:
 				INIT_PZVAL_COPY(ret, retval_ptr);
 				zval_copy_ctor(ret);
 				*EG(return_value_ptr_ptr) = ret;
+			} else if ((IS_CONST == IS_CV || IS_CONST == IS_VAR) &&
+			           retval_ptr == &EG(uninitialized_zval)) {
+				zval *ret;
+
+				ALLOC_INIT_ZVAL(ret);
+				*EG(return_value_ptr_ptr) = ret;
 			} else {
 				*EG(return_value_ptr_ptr) = retval_ptr;
 				Z_ADDREF_P(retval_ptr);
@@ -4931,6 +4937,12 @@ return_by_value:
 				INIT_PZVAL_COPY(ret, retval_ptr);
 				zval_copy_ctor(ret);
 				*EG(return_value_ptr_ptr) = ret;
+			} else if ((IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) &&
+			           retval_ptr == &EG(uninitialized_zval)) {
+				zval *ret;
+
+				ALLOC_INIT_ZVAL(ret);
+				*EG(return_value_ptr_ptr) = ret;
 			} else {
 				*EG(return_value_ptr_ptr) = retval_ptr;
 				Z_ADDREF_P(retval_ptr);
@@ -8167,6 +8179,12 @@ return_by_value:
 				INIT_PZVAL_COPY(ret, retval_ptr);
 				zval_copy_ctor(ret);
 				*EG(return_value_ptr_ptr) = ret;
+			} else if ((IS_VAR == IS_CV || IS_VAR == IS_VAR) &&
+			           retval_ptr == &EG(uninitialized_zval)) {
+				zval *ret;
+
+				ALLOC_INIT_ZVAL(ret);
+				*EG(return_value_ptr_ptr) = ret;
 			} else {
 				*EG(return_value_ptr_ptr) = retval_ptr;
 				Z_ADDREF_P(retval_ptr);
@@ -22027,6 +22045,12 @@ return_by_value:
 				INIT_PZVAL_COPY(ret, retval_ptr);
 				zval_copy_ctor(ret);
 				*EG(return_value_ptr_ptr) = ret;
+			} else if ((IS_CV == IS_CV || IS_CV == IS_VAR) &&
+			           retval_ptr == &EG(uninitialized_zval)) {
+				zval *ret;
+
+				ALLOC_INIT_ZVAL(ret);
+				*EG(return_value_ptr_ptr) = ret;
 			} else {
 				*EG(return_value_ptr_ptr) = retval_ptr;
 				Z_ADDREF_P(retval_ptr);
diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 3e63dbe02a..bc2df3cd0c 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -1562,8 +1562,13 @@ static zval *to_zval_object_ex(encodeTypePtr type, xmlNodePtr data, zend_class_e
 			}
 			model_to_zval_object(ret, sdlType->model, data, sdl TSRMLS_CC);
 			if (redo_any) {
-				if (get_zval_property(ret, "any" TSRMLS_CC) == NULL) {
+				zval *tmp = get_zval_property(ret, "any" TSRMLS_CC);
+
+				if (tmp == NULL) {
 					model_to_zval_any(ret, data->children TSRMLS_CC);
+				} else if (Z_REFCOUNT_P(tmp) == 0) {
+					zval_dtor(tmp);
+					efree(tmp);
 				}
 				zval_ptr_dtor(&redo_any);
 			}