From: Ilia Alshanetsky <iliaa@php.net>
Date: Wed, 22 Oct 2003 23:42:55 +0000 (+0000)
Subject: Fixed bug #25922 (Crash in error handler when 5th argument is modified).
X-Git-Tag: php-5.0.0b2RC1~10
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5dac0007f3268f240b82e6d3273f43e4ff131b0f;p=php

Fixed bug #25922 (Crash in error handler when 5th argument is modified).
---

diff --git a/Zend/zend.c b/Zend/zend.c
index 013c107f3e..2e5d37cfc8 100644
--- a/Zend/zend.c
+++ b/Zend/zend.c
@@ -840,7 +840,6 @@ ZEND_API void zend_error(int type, const char *format, ...)
 	zval ***params;
 	zval *retval;
 	zval *z_error_type, *z_error_message, *z_error_filename, *z_error_lineno, *z_context;
-	zval lz_context;
 	char *error_filename;
 	uint error_lineno;
 	zval *orig_user_error_handler;
@@ -903,6 +902,7 @@ ZEND_API void zend_error(int type, const char *format, ...)
 			ALLOC_INIT_ZVAL(z_error_type);
 			ALLOC_INIT_ZVAL(z_error_filename);
 			ALLOC_INIT_ZVAL(z_error_lineno);
+			ALLOC_INIT_ZVAL(z_context);
 
 			z_error_message->value.str.len = zend_vspprintf(&z_error_message->value.str.val, 0, format, args);
 			z_error_message->type = IS_STRING;
@@ -919,11 +919,9 @@ ZEND_API void zend_error(int type, const char *format, ...)
 			z_error_lineno->value.lval = error_lineno;
 			z_error_lineno->type = IS_LONG;
 
-			lz_context.value.ht = EG(active_symbol_table);
-			lz_context.type = IS_ARRAY;
-			lz_context.is_ref = 1;
-			lz_context.refcount = 2; /* we don't want this one to be freed */
-			z_context = &lz_context;
+			z_context->value.ht = EG(active_symbol_table);
+			z_context->type = IS_ARRAY;
+			ZVAL_ADDREF(z_context); /* we don't want this one to be freed */
 
 			params = (zval ***) emalloc(sizeof(zval **)*5);
 			params[0] = &z_error_type;
@@ -949,7 +947,9 @@ ZEND_API void zend_error(int type, const char *format, ...)
 			zval_ptr_dtor(&z_error_type);
 			zval_ptr_dtor(&z_error_filename);
 			zval_ptr_dtor(&z_error_lineno);
-			ZVAL_DELREF(z_context);
+			if (ZVAL_REFCOUNT(z_context) == 2) {
+				FREE_ZVAL(z_context);
+			}
 			break;
 	}
 
diff --git a/tests/lang/bug25922.phpt b/tests/lang/bug25922.phpt
new file mode 100755
index 0000000000..0588eef949
--- /dev/null
+++ b/tests/lang/bug25922.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #25922 (SEGV in error_handler when context is destroyed)
+--INI--
+error_reporting=2047
+--FILE--
+<?php
+function my_error_handler($error, $errmsg='', $errfile='', $errline=0, $errcontext='')
+{
+	$errcontext = '';
+}
+                                                                                        
+set_error_handler('my_error_handler');
+
+function test()
+{
+	echo "Undefined index here: '{$data['HTTP_HEADER']}'\n";
+}
+test();
+?>
+--EXPECT--
+Undefined index here: ''