From: Dmitry Stogov <dmitry@php.net>
Date: Mon, 6 Jun 2005 09:50:08 +0000 (+0000)
Subject: Fixed bug #32596 (Segfault/Memory Leak by getClass (etc) in __destruct)
X-Git-Tag: php-5.0.5RC1~207
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f5f6a1bb021fef2cc104443e0f084058442d998c;p=php

Fixed bug #32596 (Segfault/Memory Leak by getClass (etc) in __destruct)
---

diff --git a/NEWS b/NEWS
index e044c6b1a5..ce8eabf1ae 100644
--- a/NEWS
+++ b/NEWS
@@ -82,6 +82,8 @@ PHP                                                                        NEWS
   access errors). (Jani, ric at arizona dot edu)
 - Fixed bug #32608 (html_entity_decode() converts single quotes even if
   ENT_NOQUOTES is given). (Ilia)
+- Fixed bug #32596 (Segfault/Memory Leak by getClass (etc) in __destruct).
+  (Dmitry)
 - Fixed bug #32591 (ext/mysql: Unsatisfied symbol: ntohs with HP-UX). (Jani)
 - Fixed bug #32589 (Possible crash inside imap_mail_compose, with charsets).
   (Ilia)
diff --git a/Zend/tests/bug32596.phpt b/Zend/tests/bug32596.phpt
new file mode 100755
index 0000000000..2dd0cfe9f0
--- /dev/null
+++ b/Zend/tests/bug32596.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #32596 (Segfault/Memory Leak by getClass (etc) in __destruct)
+--FILE--
+<?php
+class BUG {
+  public $error = "please fix this thing, it wasted a nice part of my life!\n";
+  static function instance() {return new BUG();}  
+
+  function __destruct()
+  {
+    $c=get_class($this); unset($c);
+    echo get_class($this) ."\n";
+    if(defined('DEBUG_'.__CLASS__)){}
+    $c=get_class($this); //memory leak only
+    echo $this->error;
+  }
+}
+
+
+BUG::instance()->error;
+echo "this is still executed\n";
+?>
+--EXPECT--
+BUG
+please fix this thing, it wasted a nice part of my life!
+this is still executed
+
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index 75bb57946b..afa26a5885 100644
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -392,15 +392,17 @@ ZEND_API zend_bool zend_is_executing(TSRMLS_D)
 
 ZEND_API void _zval_ptr_dtor(zval **zval_ptr ZEND_FILE_LINE_DC)
 {
+	zval *zv = *zval_ptr;
+
 #if DEBUG_ZEND>=2
 	printf("Reducing refcount for %x (%x):  %d->%d\n", *zval_ptr, zval_ptr, (*zval_ptr)->refcount, (*zval_ptr)->refcount-1);
 #endif
-	(*zval_ptr)->refcount--;
-	if ((*zval_ptr)->refcount==0) {
-		zval_dtor(*zval_ptr);
-		safe_free_zval_ptr_rel(*zval_ptr ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_CC);
-	} else if ((*zval_ptr)->refcount == 1) {
-		(*zval_ptr)->is_ref = 0;
+	zv->refcount--;
+	if (zv->refcount==0) {
+		zval_dtor(zv);
+		safe_free_zval_ptr_rel(zv ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_CC);
+	} else if (zv->refcount == 1) {
+		zv->is_ref = 0;
 	}
 }