From: Xinchen Hui <laruence@gmail.com>
Date: Sat, 19 Dec 2015 05:40:20 +0000 (-0800)
Subject: Fixed bug #71163 (Segmentation Fault: cleanup_unfinished_calls)
X-Git-Tag: php-7.0.2RC1~12
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=eb4ce3f1a8d3c14bf9245ef730d885be359499a8;p=php

Fixed bug #71163 (Segmentation Fault: cleanup_unfinished_calls)
---

diff --git a/NEWS b/NEWS
index 699a54efe2..70e11367aa 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? Jan 2016 PHP 7.0.2
 
 - Core:
+  . Fixed bug #71163 (Segmentation Fault: cleanup_unfinished_calls). (Laruence)
   . Fixed bug #71109 (ZEND_MOD_CONFLICTS("xdebug") doesn't work). (Laruence)
   . Fixed bug #71105 (Format String Vulnerability in Class Name Error Message).
     (andrew at jmpesp dot org)
diff --git a/Zend/tests/bug71163.phpt b/Zend/tests/bug71163.phpt
new file mode 100644
index 0000000000..102b1b93ec
--- /dev/null
+++ b/Zend/tests/bug71163.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug #71163 (Segmentation Fault (cleanup_unfinished_calls))
+--FILE--
+<?php
+function __autoload($name) { 
+	eval ("class $name extends Exception { public static function foo() {}}");
+	throw new Exception("boom");
+}
+
+function test2() {
+	try {
+		Test::foo();
+	} catch (Exception $e) {
+		echo "okey";
+	}
+}
+
+function test() {
+	test2();
+}
+
+test();
+?>
+--EXPECT--
+okey
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index fdffed34b2..802b7c8ca3 100644
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -937,7 +937,6 @@ ZEND_API zend_class_entry *zend_lookup_class_ex(zend_string *name, const zval *k
 	zend_class_entry *ce = NULL;
 	zval args[1];
 	zval local_retval;
-	int retval;
 	zend_string *lc_name;
 	zend_fcall_info fcall_info;
 	zend_fcall_info_cache fcall_cache;
@@ -1033,7 +1032,9 @@ ZEND_API zend_class_entry *zend_lookup_class_ex(zend_string *name, const zval *k
 	fcall_cache.object = NULL;
 
 	zend_exception_save();
-	retval = zend_call_function(&fcall_info, &fcall_cache);
+	if ((zend_call_function(&fcall_info, &fcall_cache) == SUCCESS) && !EG(exception)) {
+		ce = zend_hash_find_ptr(EG(class_table), lc_name);
+	}
 	zend_exception_restore();
 
 	zval_ptr_dtor(&args[0]);
@@ -1043,9 +1044,6 @@ ZEND_API zend_class_entry *zend_lookup_class_ex(zend_string *name, const zval *k
 
 	zval_ptr_dtor(&local_retval);
 
-	if (retval == SUCCESS) {
-		ce = zend_hash_find_ptr(EG(class_table), lc_name);
-	}
 	if (!key) {
 		zend_string_release(lc_name);
 	}