From: Xinchen Hui <laruence@php.net>
Date: Mon, 20 Apr 2015 03:48:21 +0000 (+0800)
Subject: Fixed bug #69485 (Double free on zend_list_dtor).
X-Git-Tag: PRE_PHP7_NSAPI_REMOVAL~212
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d66045fe73fb646f15a45286313231908e656a37;p=php

Fixed bug #69485 (Double free on zend_list_dtor).
---

diff --git a/NEWS b/NEWS
index 3b2307af6c..b5e04600fc 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,7 @@
   . Update the MIME type list from the one shipped by Apache HTTPD. (Adam)
 
 - Core:
+  . Fixed bug #69485 (Double free on zend_list_dtor). (Laruence)
   . Fixed bug #69427 (Segfault on magic method __call of private method in 
     superclass). (Laruence)
   . Improved __call() and __callStatic() magic method handling. Now they are
diff --git a/Zend/zend_list.c b/Zend/zend_list.c
index 2c653782ee..261489b4a1 100644
--- a/Zend/zend_list.c
+++ b/Zend/zend_list.c
@@ -65,17 +65,19 @@ ZEND_API int zend_list_free(zend_resource *res)
 static void zend_resource_dtor(zend_resource *res)
 {
 	zend_rsrc_list_dtors_entry *ld;
+	zend_resource r = *res;
 
-	ld = zend_hash_index_find_ptr(&list_destructors, res->type);
+	res->type = -1;
+	res->ptr = NULL;
+
+	ld = zend_hash_index_find_ptr(&list_destructors, r.type);
 	if (ld) {
 		if (ld->list_dtor_ex) {
-			ld->list_dtor_ex(res);
+			ld->list_dtor_ex(&r);
 		}
 	} else {
-		zend_error(E_WARNING,"Unknown list entry type (%d)", res->type);
+		zend_error(E_WARNING, "Unknown list entry type (%d)", r.type);
 	}
-	res->ptr = NULL;
-	res->type = -1;
 }
 
 
@@ -178,8 +180,8 @@ void list_entry_destructor(zval *zv)
 {
 	zend_resource *res = Z_RES_P(zv);
 
+	ZVAL_UNDEF(zv);
 	if (res->type >= 0) {
-
 		zend_resource_dtor(res);
 	}
 	efree_size(res, sizeof(zend_resource));
diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index bf8d2f00eb..e18d084881 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -283,7 +283,7 @@ void _php_curl_verify_handlers(php_curl *ch, int reporterror) /* {{{ */
 			curl_easy_setopt(ch->cp, CURLOPT_FILE, (void *) ch);
 		}
 	}
-	return ;
+	return;
 }
 /* }}} */
 
diff --git a/ext/curl/tests/bug69485.phpt b/ext/curl/tests/bug69485.phpt
new file mode 100644
index 0000000000..7a62589e5e
--- /dev/null
+++ b/ext/curl/tests/bug69485.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #69485 (Double free on zend_list_dtor)
+--SKIPIF--
+<?php include 'skipif.inc'; ?>
+--FILE--
+<?php
+
+class O {
+	public $ch;
+	public function dummy() {
+	}
+}
+
+$ch = curl_init();
+
+$o = new O;
+$o->ch = $ch;
+curl_setopt($ch, CURLOPT_WRITEFUNCTION, array($o, "dummy"));
+?>
+==DONE==
+--EXPECT--
+==DONE==