From: Dmitry Stogov <dmitry@php.net>
Date: Mon, 19 Sep 2005 16:28:43 +0000 (+0000)
Subject: Fixed access to memory that is already freed (in case of __call() method)
X-Git-Tag: RELEASE_0_9_0~180
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a106b48982998e294acb77fe4cc1436898371b2a;p=php

Fixed access to memory that is already freed (in case of __call() method)
---

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 25358fc72f..391da2272e 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1868,6 +1868,8 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY)
 		}
 	}
 	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION) {
+		unsigned char return_reference = EX(function_state).function->common.return_reference;
+
 		ALLOC_ZVAL(EX_T(opline->result.u.var).var.ptr);
 		INIT_ZVAL(*(EX_T(opline->result.u.var).var.ptr));
 
@@ -1903,7 +1905,7 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY)
 		if (!return_value_used) {
 			zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
 		} else {
-			EX_T(opline->result.u.var).var.fcall_returned_reference = EX(function_state).function->common.return_reference;
+			EX_T(opline->result.u.var).var.fcall_returned_reference = return_reference;
 		}
 	} else if (EX(function_state).function->type == ZEND_USER_FUNCTION) {
 		HashTable *calling_symbol_table;
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 81f2fe9e51..9a23ad8a38 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -172,6 +172,8 @@ static int zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS)
 		}
 	}
 	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION) {
+		unsigned char return_reference = EX(function_state).function->common.return_reference;
+
 		ALLOC_ZVAL(EX_T(opline->result.u.var).var.ptr);
 		INIT_ZVAL(*(EX_T(opline->result.u.var).var.ptr));
 
@@ -207,7 +209,7 @@ static int zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS)
 		if (!return_value_used) {
 			zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
 		} else {
-			EX_T(opline->result.u.var).var.fcall_returned_reference = EX(function_state).function->common.return_reference;
+			EX_T(opline->result.u.var).var.fcall_returned_reference = return_reference;
 		}
 	} else if (EX(function_state).function->type == ZEND_USER_FUNCTION) {
 		HashTable *calling_symbol_table;