From: Greg Beaver <cellog@php.net>
Date: Sat, 13 Jun 2009 17:30:50 +0000 (+0000)
Subject: fix Bug #48541: spl_autoload_register only registers first closure, then leaks the... 
X-Git-Tag: php-5.3.0RC4~70
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=79d05eac0d2fb68a8029fa821b7aa823436c2886;p=php

fix Bug #48541: spl_autoload_register only registers first closure, then leaks the others.  Fix missing erealloc in fix for bug #40091 (PHP_5_3 only)
---

diff --git a/NEWS b/NEWS
index def69b4301..003e934c67 100644
--- a/NEWS
+++ b/NEWS
@@ -3,8 +3,12 @@ PHP                                                                        NEWS
 ?? ??? 2009, PHP 5.3.0 RC 4
 - Added phar.phar generation for Windows. (Greg)
 
+- Fixed bug #48541 (spl_autoload_register only registers first closure, then
+  leaks the others). (Greg)
 - Fixed bug #48533 (__callStatic is not invoked for private/protected methods).
   (Felipe)
+- Fixed missing erealloc() in fix for Bug #40091 in spl_autoload_register.
+  (Greg)
 
 11 Jun 2009, PHP 5.3.0 RC 3
 - Upgraded bundled sqlite to version 3.6.14.2. (Scott, Ilia)
diff --git a/ext/spl/php_spl.c b/ext/spl/php_spl.c
index 2e34f46e64..bb6aa42f7e 100755
--- a/ext/spl/php_spl.c
+++ b/ext/spl/php_spl.c
@@ -497,10 +497,6 @@ PHP_FUNCTION(spl_autoload_register)
 		alfi.ce = fcc.calling_scope;
 		alfi.func_ptr = fcc.function_handler;
 		obj_ptr = fcc.object_ptr;
-		if (Z_TYPE_P(zcallable) == IS_OBJECT) {
-			alfi.closure = zcallable;
-			Z_ADDREF_P(zcallable);
-		}
 		if (error) {
 			efree(error);
 		}
@@ -509,12 +505,27 @@ PHP_FUNCTION(spl_autoload_register)
 		zend_str_tolower_copy(lc_name, func_name, func_name_len);
 		efree(func_name);
 
+		if (Z_TYPE_P(zcallable) == IS_OBJECT) {
+			alfi.closure = zcallable;
+			Z_ADDREF_P(zcallable);
+
+			lc_name = erealloc(lc_name, func_name_len + 2 + sizeof(zcallable->value.obj.handle));
+			memcpy(lc_name + func_name_len, &(zcallable->value.obj.handle),
+				sizeof(zcallable->value.obj.handle));
+			func_name_len += sizeof(zcallable->value.obj.handle);
+			lc_name[func_name_len] = '\0';
+		}
+
 		if (SPL_G(autoload_functions) && zend_hash_exists(SPL_G(autoload_functions), (char*)lc_name, func_name_len+1)) {
+			if (alfi.closure) {
+				Z_DELREF_P(zcallable);
+			}
 			goto skip;
 		}
 
 		if (obj_ptr && !(alfi.func_ptr->common.fn_flags & ZEND_ACC_STATIC)) {
 			/* add object id to the hash to ensure uniqueness, for more reference look at bug #40091 */
+			lc_name = erealloc(lc_name, func_name_len + 2 + sizeof(zend_object_handle));
 			memcpy(lc_name + func_name_len, &Z_OBJ_HANDLE_P(obj_ptr), sizeof(zend_object_handle));
 			func_name_len += sizeof(zend_object_handle);
 			lc_name[func_name_len] = '\0';
diff --git a/ext/spl/tests/spl_autoload_bug48541.phpt b/ext/spl/tests/spl_autoload_bug48541.phpt
new file mode 100644
index 0000000000..eef81bd03b
--- /dev/null
+++ b/ext/spl/tests/spl_autoload_bug48541.phpt
@@ -0,0 +1,24 @@
+--TEST--
+SPL: spl_autoload_register() Bug #48541: registering multiple closures fails with memleaks
+--FILE--
+<?php
+$a = function ($class) {
+    echo "a called\n";
+};
+$b = function ($class) {
+    eval('class ' . $class . '{function __construct(){echo "foo\n";}}');
+    echo "b called\n";
+};
+spl_autoload_register($a);
+spl_autoload_register($b);
+
+$c = $a;
+spl_autoload_register($c);
+$c = new foo;
+?>
+===DONE===
+--EXPECT--
+a called
+b called
+foo
+===DONE===
\ No newline at end of file