From: Dmitry Stogov <dmitry@php.net>
Date: Thu, 26 May 2005 14:40:12 +0000 (+0000)
Subject: Fixed bug #33116 (crash when assigning class name to global variable in __autoload)
X-Git-Tag: php-5.0.5RC1~240
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=82be7f8f8550851b042e61d4d51303ae9e343d7a;p=php

Fixed bug #33116 (crash when assigning class name to global variable in __autoload)
---

diff --git a/NEWS b/NEWS
index 6608914bd6..a5febd6be5 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,8 @@ PHP                                                                        NEWS
 - Fixed ext/mysqli to allocate less memory when fetching bound params
   of type (MEDIUM|LONG)BLOB/(MEDIUM|LONG)TEXT. (Andrey)
 - Fixed memory corruption in ImageTTFText() with 64bit systems. (Andrey)
+- Fixed bug #33116 (crash when assigning class name to global variable in
+  __autoload). (Dmitry)
 - Fixed bug #33090 (mysqli_prepare() doesn't return an error). (Georg)
 - Fixed bug #33076 (str_ireplace() incorrectly counts result string length 
   and may cause segfault). (Tony)
diff --git a/Zend/tests/bug33116.phpt b/Zend/tests/bug33116.phpt
new file mode 100755
index 0000000000..aa714a1f85
--- /dev/null
+++ b/Zend/tests/bug33116.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #33116 (crash when assigning class name to global variable in __autoload)
+--FILE--
+<?php
+function __autoload($class)
+{
+  $GLOBALS['include'][] = $class;
+  eval("class DefClass{}");
+}
+
+$a = new DefClass;
+print_r($a);
+print_r($GLOBALS['include']);
+?>
+--EXPECT--
+DefClass Object
+(
+)
+Array
+(
+    [0] => DefClass
+)
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index 1556957627..9546d869ad 100644
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -908,7 +908,7 @@ ZEND_API int zend_lookup_class(char *name, int name_length, zend_class_entry ***
 {
 	zval **args[1];
 	zval autoload_function;
-	zval class_name, *class_name_ptr = &class_name;
+	zval *class_name_ptr;
 	zval *retval_ptr;
 	int retval;
 	char *lc_name;
@@ -947,8 +947,9 @@ ZEND_API int zend_lookup_class(char *name, int name_length, zend_class_entry ***
 
 	ZVAL_STRINGL(&autoload_function, ZEND_AUTOLOAD_FUNC_NAME, sizeof(ZEND_AUTOLOAD_FUNC_NAME)-1,  0);
 
+	ALLOC_ZVAL(class_name_ptr);
 	INIT_PZVAL(class_name_ptr);
-	ZVAL_STRINGL(class_name_ptr, name, name_length, 0);
+	ZVAL_STRINGL(class_name_ptr, name, name_length, 1);
 	
 	args[0] = &class_name_ptr;
 
@@ -956,6 +957,8 @@ ZEND_API int zend_lookup_class(char *name, int name_length, zend_class_entry ***
 	EG(exception) = NULL;
 	retval = call_user_function_ex(EG(function_table), NULL, &autoload_function, &retval_ptr, 1, args, 0, NULL TSRMLS_CC);
 
+	zval_ptr_dtor(&class_name_ptr);
+
 	zend_hash_del(EG(in_autoload), lc_name, name_length+1);
 
 	if (retval == FAILURE) {