From: Ilia Alshanetsky <iliaa@php.net>
Date: Sun, 28 Oct 2007 13:44:09 +0000 (+0000)
Subject: MFB: Fixed bug #42976 (Crash when constructor for newInstance() or
X-Git-Tag: RELEASE_2_0_0a1~1534
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8ef85b486af7a59d295a2d3a3a565ad408eeadac;p=php

MFB: Fixed bug #42976 (Crash when constructor for newInstance() or
newInstanceArgs() fails)
---

diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
index 0ce79a14d3..37ca021614 100644
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@@ -3484,7 +3484,7 @@ ZEND_METHOD(reflection_class, isInstance)
    Returns an instance of this class */
 ZEND_METHOD(reflection_class, newInstance)
 {
-	zval *retval_ptr;
+	zval *retval_ptr = NULL;
 	reflection_object *intern;
 	zend_class_entry *ce;
 	int argc = ZEND_NUM_ARGS();
@@ -3528,7 +3528,9 @@ ZEND_METHOD(reflection_class, newInstance)
 
 		if (zend_call_function(&fci, &fcc TSRMLS_CC) == FAILURE) {
 			efree(params);
-			zval_ptr_dtor(&retval_ptr);
+			if (retval_ptr) {
+				zval_ptr_dtor(&retval_ptr);
+			}
 			zend_error(E_WARNING, "Invocation of %v's constructor failed", ce->name);
 			RETURN_NULL();
 		}
@@ -3548,7 +3550,7 @@ ZEND_METHOD(reflection_class, newInstance)
    Returns an instance of this class */
 ZEND_METHOD(reflection_class, newInstanceArgs)
 {
-	zval *retval_ptr;
+	zval *retval_ptr = NULL;
 	reflection_object *intern;
 	zend_class_entry *ce;
 	int argc = 0;
@@ -3603,7 +3605,9 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
 			if (params) {
 				efree(params);
 			}
-			zval_ptr_dtor(&retval_ptr);
+			if (retval_ptr) {
+				zval_ptr_dtor(&retval_ptr);
+			}
 			zend_error(E_WARNING, "Invocation of %v's constructor failed", ce->name);
 			RETURN_NULL();
 		}
diff --git a/ext/reflection/tests/bug42976.phpt b/ext/reflection/tests/bug42976.phpt
new file mode 100644
index 0000000000..38aed3a400
--- /dev/null
+++ b/ext/reflection/tests/bug42976.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails)
+--FILE--
+<?php
+
+Class C {
+	function __construct(&$x) {
+		$x = "x.changed";
+	}
+}
+
+$x = "x.original";
+new C($x); // OK
+var_dump($x);
+
+$rc = new ReflectionClass('C');
+$x = "x.original";
+$rc->newInstance($x); // causes crash
+var_dump($x);
+$x = "x.original";
+$rc->newInstanceArgs(array($x)); // causes crash	
+var_dump($x);
+
+echo "Done\n";
+?>
+--EXPECTF--	
+string(9) "x.changed"
+
+Warning: Invocation of C's constructor failed in %s/bug42976.php on line %d
+string(10) "x.original"
+
+Warning: Invocation of C's constructor failed in %s/bug42976.php on line %d
+string(10) "x.original"
+Done