From: Dmitry Stogov <dmitry@php.net>
Date: Thu, 15 Jan 2009 08:48:58 +0000 (+0000)
Subject: Fixed bug #47109 (Memory leak on $a->{"a"."b"} when $a is not an object)
X-Git-Tag: php-5.3.0beta1~145
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8075f2e4b7ea0371eb185478bcd1910c97f78f0b;p=php

Fixed bug #47109 (Memory leak on $a->{"a"."b"} when $a is not an object)
---

diff --git a/Zend/tests/bug47109.phpt b/Zend/tests/bug47109.phpt
new file mode 100644
index 0000000000..8f810d7fb1
--- /dev/null
+++ b/Zend/tests/bug47109.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #47109 (Memory leak on $a->{"a"."b"} when $a is not an object)
+--FILE--
+<?php
+$a->{"a"."b"};
+?>
+--EXPECTF--
+Notice: Undefined variable: a in %sbug47109.php on line 2
+
+Notice: Trying to get property of non-object in %sbug47109.php on line 2
+
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 8149695e46..5c35aad635 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1236,12 +1236,15 @@ ZEND_VM_HELPER_EX(zend_fetch_property_address_read_helper, VAR|UNUSED|CV, CONST|
 	zend_op *opline = EX(opline);
 	zend_free_op free_op1;
 	zval *container = GET_OP1_OBJ_ZVAL_PTR(type);
+	zend_free_op free_op2;
+	zval *offset  = GET_OP2_ZVAL_PTR(BP_VAR_R);
 
 	if (container == EG(error_zval_ptr)) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
 			PZVAL_LOCK(EG(error_zval_ptr));
 		}
+		FREE_OP2();
 		FREE_OP1();
 		ZEND_VM_NEXT_OPCODE();
 	}
@@ -1255,9 +1258,8 @@ ZEND_VM_HELPER_EX(zend_fetch_property_address_read_helper, VAR|UNUSED|CV, CONST|
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
 			PZVAL_LOCK(EG(uninitialized_zval_ptr));
 		}
+		FREE_OP2();
 	} else {
-		zend_free_op free_op2;
-		zval *offset  = GET_OP2_ZVAL_PTR(BP_VAR_R);
 		zval *retval;
 
 		if (IS_OP2_TMP_FREE()) {
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 0139f65979..2e85088bd0 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -9906,11 +9906,14 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_CONST(
 	zend_free_op free_op1;
 	zval *container = _get_zval_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
 
+	zval *offset  = &opline->op2.u.constant;
+
 	if (container == EG(error_zval_ptr)) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
 			PZVAL_LOCK(EG(error_zval_ptr));
 		}
+
 		if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
 		ZEND_VM_NEXT_OPCODE();
 	}
@@ -9924,9 +9927,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_CONST(
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
 			PZVAL_LOCK(EG(uninitialized_zval_ptr));
 		}
-	} else {
 
-		zval *offset  = &opline->op2.u.constant;
+	} else {
 		zval *retval;
 
 		if (0) {
@@ -11740,12 +11742,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_TMP(in
 	zend_op *opline = EX(opline);
 	zend_free_op free_op1;
 	zval *container = _get_zval_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
+	zend_free_op free_op2;
+	zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
 	if (container == EG(error_zval_ptr)) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
 			PZVAL_LOCK(EG(error_zval_ptr));
 		}
+		zval_dtor(free_op2.var);
 		if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
 		ZEND_VM_NEXT_OPCODE();
 	}
@@ -11759,9 +11764,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_TMP(in
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
 			PZVAL_LOCK(EG(uninitialized_zval_ptr));
 		}
+		zval_dtor(free_op2.var);
 	} else {
-		zend_free_op free_op2;
-		zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 		zval *retval;
 
 		if (1) {
@@ -13521,12 +13525,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_VAR(in
 	zend_op *opline = EX(opline);
 	zend_free_op free_op1;
 	zval *container = _get_zval_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
+	zend_free_op free_op2;
+	zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
 	if (container == EG(error_zval_ptr)) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
 			PZVAL_LOCK(EG(error_zval_ptr));
 		}
+		if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
 		if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
 		ZEND_VM_NEXT_OPCODE();
 	}
@@ -13540,9 +13547,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_VAR(in
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
 			PZVAL_LOCK(EG(uninitialized_zval_ptr));
 		}
+		if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
 	} else {
-		zend_free_op free_op2;
-		zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 		zval *retval;
 
 		if (0) {
@@ -15967,11 +15973,14 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_CV(int
 	zend_free_op free_op1;
 	zval *container = _get_zval_ptr_var(&opline->op1, EX(Ts), &free_op1 TSRMLS_CC);
 
+	zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+
 	if (container == EG(error_zval_ptr)) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
 			PZVAL_LOCK(EG(error_zval_ptr));
 		}
+
 		if (free_op1.var) {zval_ptr_dtor(&free_op1.var);};
 		ZEND_VM_NEXT_OPCODE();
 	}
@@ -15985,9 +15994,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_VAR_CV(int
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
 			PZVAL_LOCK(EG(uninitialized_zval_ptr));
 		}
-	} else {
 
-		zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+	} else {
 		zval *retval;
 
 		if (0) {
@@ -17453,12 +17461,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_CON
 
 	zval *container = _get_obj_zval_ptr_unused(TSRMLS_C);
 
+	zval *offset  = &opline->op2.u.constant;
+
 	if (container == EG(error_zval_ptr)) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
 			PZVAL_LOCK(EG(error_zval_ptr));
 		}
 
+
 		ZEND_VM_NEXT_OPCODE();
 	}
 
@@ -17471,9 +17482,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_CON
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
 			PZVAL_LOCK(EG(uninitialized_zval_ptr));
 		}
-	} else {
 
-		zval *offset  = &opline->op2.u.constant;
+	} else {
 		zval *retval;
 
 		if (0) {
@@ -18584,12 +18594,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_TMP
 	zend_op *opline = EX(opline);
 
 	zval *container = _get_obj_zval_ptr_unused(TSRMLS_C);
+	zend_free_op free_op2;
+	zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
 	if (container == EG(error_zval_ptr)) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
 			PZVAL_LOCK(EG(error_zval_ptr));
 		}
+		zval_dtor(free_op2.var);
 
 		ZEND_VM_NEXT_OPCODE();
 	}
@@ -18603,9 +18616,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_TMP
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
 			PZVAL_LOCK(EG(uninitialized_zval_ptr));
 		}
+		zval_dtor(free_op2.var);
 	} else {
-		zend_free_op free_op2;
-		zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 		zval *retval;
 
 		if (1) {
@@ -19661,12 +19673,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_VAR
 	zend_op *opline = EX(opline);
 
 	zval *container = _get_obj_zval_ptr_unused(TSRMLS_C);
+	zend_free_op free_op2;
+	zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
 	if (container == EG(error_zval_ptr)) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
 			PZVAL_LOCK(EG(error_zval_ptr));
 		}
+		if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
 
 		ZEND_VM_NEXT_OPCODE();
 	}
@@ -19680,9 +19695,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_VAR
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
 			PZVAL_LOCK(EG(uninitialized_zval_ptr));
 		}
+		if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
 	} else {
-		zend_free_op free_op2;
-		zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 		zval *retval;
 
 		if (0) {
@@ -21010,12 +21024,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_CV(
 
 	zval *container = _get_obj_zval_ptr_unused(TSRMLS_C);
 
+	zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+
 	if (container == EG(error_zval_ptr)) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
 			PZVAL_LOCK(EG(error_zval_ptr));
 		}
 
+
 		ZEND_VM_NEXT_OPCODE();
 	}
 
@@ -21028,9 +21045,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_UNUSED_CV(
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
 			PZVAL_LOCK(EG(uninitialized_zval_ptr));
 		}
-	} else {
 
-		zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+	} else {
 		zval *retval;
 
 		if (0) {
@@ -23790,12 +23806,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_CONST(i
 
 	zval *container = _get_zval_ptr_cv(&opline->op1, EX(Ts), type TSRMLS_CC);
 
+	zval *offset  = &opline->op2.u.constant;
+
 	if (container == EG(error_zval_ptr)) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
 			PZVAL_LOCK(EG(error_zval_ptr));
 		}
 
+
 		ZEND_VM_NEXT_OPCODE();
 	}
 
@@ -23808,9 +23827,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_CONST(i
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
 			PZVAL_LOCK(EG(uninitialized_zval_ptr));
 		}
-	} else {
 
-		zval *offset  = &opline->op2.u.constant;
+	} else {
 		zval *retval;
 
 		if (0) {
@@ -25455,12 +25473,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_TMP(int
 	zend_op *opline = EX(opline);
 
 	zval *container = _get_zval_ptr_cv(&opline->op1, EX(Ts), type TSRMLS_CC);
+	zend_free_op free_op2;
+	zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
 	if (container == EG(error_zval_ptr)) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
 			PZVAL_LOCK(EG(error_zval_ptr));
 		}
+		zval_dtor(free_op2.var);
 
 		ZEND_VM_NEXT_OPCODE();
 	}
@@ -25474,9 +25495,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_TMP(int
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
 			PZVAL_LOCK(EG(uninitialized_zval_ptr));
 		}
+		zval_dtor(free_op2.var);
 	} else {
-		zend_free_op free_op2;
-		zval *offset  = _get_zval_ptr_tmp(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 		zval *retval;
 
 		if (1) {
@@ -27124,12 +27144,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_VAR(int
 	zend_op *opline = EX(opline);
 
 	zval *container = _get_zval_ptr_cv(&opline->op1, EX(Ts), type TSRMLS_CC);
+	zend_free_op free_op2;
+	zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 
 	if (container == EG(error_zval_ptr)) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
 			PZVAL_LOCK(EG(error_zval_ptr));
 		}
+		if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
 
 		ZEND_VM_NEXT_OPCODE();
 	}
@@ -27143,9 +27166,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_VAR(int
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
 			PZVAL_LOCK(EG(uninitialized_zval_ptr));
 		}
+		if (free_op2.var) {zval_ptr_dtor(&free_op2.var);};
 	} else {
-		zend_free_op free_op2;
-		zval *offset  = _get_zval_ptr_var(&opline->op2, EX(Ts), &free_op2 TSRMLS_CC);
 		zval *retval;
 
 		if (0) {
@@ -29355,12 +29377,15 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_CV(int
 
 	zval *container = _get_zval_ptr_cv(&opline->op1, EX(Ts), type TSRMLS_CC);
 
+	zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+
 	if (container == EG(error_zval_ptr)) {
 		if (!RETURN_VALUE_UNUSED(&opline->result)) {
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(error_zval_ptr));
 			PZVAL_LOCK(EG(error_zval_ptr));
 		}
 
+
 		ZEND_VM_NEXT_OPCODE();
 	}
 
@@ -29373,9 +29398,8 @@ static int ZEND_FASTCALL zend_fetch_property_address_read_helper_SPEC_CV_CV(int
 			AI_SET_PTR(EX_T(opline->result.u.var).var, EG(uninitialized_zval_ptr));
 			PZVAL_LOCK(EG(uninitialized_zval_ptr));
 		}
-	} else {
 
-		zval *offset  = _get_zval_ptr_cv(&opline->op2, EX(Ts), BP_VAR_R TSRMLS_CC);
+	} else {
 		zval *retval;
 
 		if (0) {