From: Xinchen Hui <laruence@gmail.com>
Date: Mon, 15 Feb 2016 02:32:50 +0000 (+0800)
Subject: Merge branch 'PHP-5.6' into PHP-7.0
X-Git-Tag: php-7.0.4RC1~20
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8974e4c7814eb0ca6e6f00fcd8d9df9d62283d59;p=php

Merge branch 'PHP-5.6' into PHP-7.0

* PHP-5.6:
  Update NEWS: "Fixed bug  #71584 (Possible use-after-free of ZCG(cwd) in Zend Opcache)"
  Fix use-after-free of ZCG(cwd) in Zend Optimizer

Conflicts:
	ext/opcache/ZendAccelerator.c
---

8974e4c7814eb0ca6e6f00fcd8d9df9d62283d59
diff --cc ext/opcache/ZendAccelerator.c
index 2440a56582,0f66c56ea6..f0dc770109
--- a/ext/opcache/ZendAccelerator.c
+++ b/ext/opcache/ZendAccelerator.c
@@@ -2283,7 -2368,13 +2283,12 @@@ static void accel_deactivate(void
  	 * In general, they're restored by persistent_compile_file(), but in case
  	 * the script is aborted abnormally, they may become messed up.
  	 */
 -	TSRMLS_FETCH();
  
+ 	if (ZCG(cwd)) {
 -		efree(ZCG(cwd));
++		zend_string_release(ZCG(cwd));
+ 		ZCG(cwd) = NULL;
+ 	}
+ 
  	if (!ZCG(enabled) || !accel_startup_ok) {
  		return;
  	}
@@@ -2293,16 -2384,10 +2298,10 @@@
  	ZCG(counted) = 0;
  
  #if !ZEND_DEBUG
 -	if (ZCG(accel_directives).fast_shutdown) {
 -		zend_accel_fast_shutdown(TSRMLS_C);
 +	if (ZCG(accel_directives).fast_shutdown && is_zend_mm()) {
 +		zend_accel_fast_shutdown();
  	}
  #endif
- 
- 	if (ZCG(cwd)) {
- 		zend_string_release(ZCG(cwd));
- 		ZCG(cwd) = NULL;
- 	}
- 
  }
  
  static int accelerator_remove_cb(zend_extension *element1, zend_extension *element2)