From: Marcus Boerger <helly@php.net>
Date: Thu, 13 Mar 2008 19:46:44 +0000 (+0000)
Subject: - MFH Fix possible memory corruption
X-Git-Tag: BEFORE_NEW_PARAMETER_PARSE~593
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c17997d4b6c1cc5fb533ff061e4835278c498abd;p=php

- MFH Fix possible memory corruption
---

diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
index 660c60384a..96fc5e781b 100755
--- a/ext/spl/spl_directory.c
+++ b/ext/spl/spl_directory.c
@@ -1293,10 +1293,11 @@ zend_object_iterator *spl_filesystem_dir_get_iterator(zend_class_entry *ce, zval
 static void spl_filesystem_dir_it_dtor(zend_object_iterator *iter TSRMLS_DC)
 {
 	spl_filesystem_iterator *iterator = (spl_filesystem_iterator *)iter;
+	zval *zfree = (zval*)iterator->intern.data;
 
-	zval_ptr_dtor(&iterator->current);
-	zval_ptr_dtor((zval**)&iterator->intern.data);
 	iterator->intern.data = NULL; /* mark as unused */
+	zval_ptr_dtor(&iterator->current);
+	zval_ptr_dtor(&zfree);
 }
 /* }}} */
 
@@ -1359,12 +1360,15 @@ static void spl_filesystem_dir_it_rewind(zend_object_iterator *iter TSRMLS_DC)
 static void spl_filesystem_tree_it_dtor(zend_object_iterator *iter TSRMLS_DC)
 {
 	spl_filesystem_iterator *iterator = (spl_filesystem_iterator *)iter;
+	zval *zfree = (zval*)iterator->intern.data;
 
 	if (iterator->current) {
 		zval_ptr_dtor(&iterator->current);
 	}
-	zval_ptr_dtor((zval**)&iterator->intern.data);
 	iterator->intern.data = NULL; /* mark as unused */
+	/* free twice as we add ref twice */
+	zval_ptr_dtor(&zfree);
+	zval_ptr_dtor(&zfree);
 }
 /* }}} */
 
@@ -1475,7 +1479,7 @@ zend_object_iterator *spl_filesystem_tree_get_iterator(zend_class_entry *ce, zva
 	dir_object = (spl_filesystem_object*)zend_object_store_get_object(object TSRMLS_CC);
 	iterator   = spl_filesystem_object_to_iterator(dir_object);
 
-	Z_ADDREF_P(object);
+	Z_SET_REFCOUNT_P(object, Z_REFCOUNT_P(object) + 2);
 	iterator->intern.data = (void*)object;
 	iterator->intern.funcs = &spl_filesystem_tree_it_funcs;
 	iterator->current = NULL;
diff --git a/ext/spl/tests/dit_003.phpt b/ext/spl/tests/dit_003.phpt
new file mode 100755
index 0000000000..4232a7fbc4
--- /dev/null
+++ b/ext/spl/tests/dit_003.phpt
@@ -0,0 +1,17 @@
+--TEST--
+SPL: FilesystemIterator and foreach
+--SKIPIF--
+<?php if (!extension_loaded("spl")) print "skip"; ?>
+--FILE--
+<?php
+$count = 0;
+foreach(new FilesystemIterator('CVS') as $ent)
+{
+	++$count;
+}
+var_dump($count > 0);
+?>
+===DONE===
+--EXPECTF--
+bool(true)
+===DONE===