From: Dmitry Stogov <dmitry@php.net>
Date: Fri, 3 Jun 2005 13:57:01 +0000 (+0000)
Subject: Fixed bug #27598 (list() array key assignment causes HUGE memory leak)
X-Git-Tag: php-5.0.5RC1~214
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=85a1e14e377b846911e99c079896f694f960b515;p=php

Fixed bug #27598 (list() array key assignment causes HUGE memory leak)
---

diff --git a/NEWS b/NEWS
index 438d3ee44b..71f3621068 100644
--- a/NEWS
+++ b/NEWS
@@ -143,6 +143,8 @@ PHP                                                                        NEWS
 - Fixed bug #28839 (SIGSEGV in interactive mode (php -a)).
   (kameshj at fastmail dot fm)
 - Fixed bug #28605 (Need to use -[m]ieee option for Alpha CPUs). (Jani)
+- Fixed bug #27598 (list() array key assignment causes HUGE memory leak).
+  (Dmitry)
 - Fixed bug #22836 (returning reference to uninitialized variable). (Dmitry)
 
 31 Mar 2005, PHP 5.0.4
diff --git a/Zend/tests/bug27598.phpt b/Zend/tests/bug27598.phpt
new file mode 100755
index 0000000000..534e8cf857
--- /dev/null
+++ b/Zend/tests/bug27598.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #27598 (list() array key assignment causes HUGE memory leak)
+--FILE--
+<?php
+list($out[0]) = array(1);
+var_dump($out);
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  int(1)
+}
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index b1805298f7..81f117bed4 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -3017,7 +3017,6 @@ void zend_do_list_end(znode *result, znode *expr TSRMLS_DC)
 	zend_llist_element *dimension;
 	zend_op *opline;
 	znode last_container;
-	int opcode_index;
 	int last_op_number;
 	zend_op *last_op;
 
@@ -3059,14 +3058,10 @@ void zend_do_list_end(znode *result, znode *expr TSRMLS_DC)
 		((list_llist_element *) le->data)->value = last_container;
 		zend_llist_destroy(&((list_llist_element *) le->data)->dimensions);
 		zend_do_end_variable_parse(BP_VAR_W, 0 TSRMLS_CC);
-		opcode_index = - 1;
 		last_op_number = get_next_op_number(CG(active_op_array))-1;
 		last_op = &CG(active_op_array)->opcodes[last_op_number];
-		if (last_op->opcode == ZEND_FETCH_OBJ_W) {
-			opcode_index = - 2;
-		}
 		zend_do_assign(result, &((list_llist_element *) le->data)->var, &((list_llist_element *) le->data)->value TSRMLS_CC);
-		CG(active_op_array)->opcodes[CG(active_op_array)->last + opcode_index].result.u.EA.type |= EXT_TYPE_UNUSED;
+		zend_do_free(result TSRMLS_CC);
 		le = le->next;
 	}
 	zend_llist_destroy(&CG(dimension_llist));
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index a0cf5356ad..084c7f9d2e 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -2235,7 +2235,7 @@ int zend_assign_dim_handler(ZEND_OPCODE_HANDLER_ARGS)
 		zend_fetch_dimension_address(&op_data->op2, &opline->op1, &opline->op2, EX(Ts), BP_VAR_W TSRMLS_CC);
 
 		value = get_zval_ptr(&op_data->op1, EX(Ts), &EG(free_op1), BP_VAR_R);
-	 	zend_assign_to_variable(&opline->result, &op_data->op2, &op_data->op1, value, (EG(free_op1)?IS_TMP_VAR:opline->op1.op_type), EX(Ts) TSRMLS_CC);
+	 	zend_assign_to_variable(&opline->result, &op_data->op2, &op_data->op1, value, (EG(free_op1)?IS_TMP_VAR:op_data->op1.op_type), EX(Ts) TSRMLS_CC);
 	}
 	/* assign_dim has two opcodes! */
 	INC_OPCODE();