From: Dmitry Stogov <dmitry@php.net>
Date: Wed, 16 Nov 2005 11:52:53 +0000 (+0000)
Subject: Fixed bug #35239 (Objects can lose references)
X-Git-Tag: RELEASE_0_9_3~33
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8373809e2e3123b75aa516ce90030f7538d69838;p=php

Fixed bug #35239 (Objects can lose references)
---

diff --git a/Zend/tests/bug35239.phpt b/Zend/tests/bug35239.phpt
new file mode 100755
index 0000000000..7fc7b7d3b6
--- /dev/null
+++ b/Zend/tests/bug35239.phpt
@@ -0,0 +1,41 @@
+--TEST--
+Bug #35239 (Objects can lose references)
+--FILE--
+<?php
+$a = new stdClass; 
+$a->x0 = new stdClass;
+$a->x0->y0 = 'a';
+$a->x0->y1 =& $a->x0;
+$a->x0->y2 =& $a->x0;
+$a->x0->y0 = 'b';
+var_dump($a);
+$a->x0->y1 = "ok\n";
+echo $a->x0;
+?>
+--EXPECT--
+object(stdClass)#1 (1) {
+  ["x0"]=>
+  &object(stdClass)#2 (3) {
+    ["y0"]=>
+    string(1) "b"
+    ["y1"]=>
+    &object(stdClass)#2 (3) {
+      ["y0"]=>
+      string(1) "b"
+      ["y1"]=>
+      *RECURSION*
+      ["y2"]=>
+      *RECURSION*
+    }
+    ["y2"]=>
+    &object(stdClass)#2 (3) {
+      ["y0"]=>
+      string(1) "b"
+      ["y1"]=>
+      *RECURSION*
+      ["y2"]=>
+      *RECURSION*
+    }
+  }
+}
+ok
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 8b399e0a65..f7ae230b0a 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1352,11 +1352,6 @@ static void zend_fetch_property_address(temp_variable *result, zval **container_
 		return;
 	}
 		
-	if ((type==BP_VAR_W || type==BP_VAR_RW) && container->refcount>1 && !PZVAL_IS_REF(container)) {
-		SEPARATE_ZVAL(container_ptr);
-		container = *container_ptr;
-	}
-
 	if (Z_OBJ_HT_P(container)->get_property_ptr_ptr) {
 		zval **ptr_ptr = Z_OBJ_HT_P(container)->get_property_ptr_ptr(container, prop_ptr TSRMLS_CC);
 		if (NULL == ptr_ptr) {
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index 043835416e..93e1c27d14 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -389,13 +389,15 @@ static void zend_std_write_property(zval *object, zval *member, zval *value TSRM
 			/* if we are assigning reference, we shouldn't move it, but instead assign variable
 			   to the same pointer */
 			if (PZVAL_IS_REF(*variable_ptr)) {
-				zval_dtor(*variable_ptr); /* old value should be destroyed */
+				zval garbage = **variable_ptr; /* old value should be destroyed */
+
 				/* To check: can't *variable_ptr be some system variable like error_zval here? */
 				(*variable_ptr)->type = value->type;
 				(*variable_ptr)->value = value->value;
 				if (value->refcount>0) {
 					zval_copy_ctor(*variable_ptr);
 				}
+				zval_dtor(&garbage);
 				setter_done = 1;
 			}
 		}