From: Nikita Popov <nikic@php.net>
Date: Fri, 21 Dec 2012 00:56:37 +0000 (+0100)
Subject: Fix bug #63822: Crash when using closures with ArrayAccess
X-Git-Tag: php-5.5.0alpha3~49
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ffb848b275a085917413c171a79cbfdb1d0159d2;p=php

Fix bug #63822: Crash when using closures with ArrayAccess

op_array->T was used after the closure's op_array was already freed. This just
swaps the freeing order.
---

diff --git a/NEWS b/NEWS
index d63858df01..019513a117 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 201?, PHP 5.5.0 Alpha 3
 
+- General improvements:
+  . Fixed bug #63822 (Crash when using closures with ArrayAccess).
+    (Nikita Popov)
 
 18 Dec 2012, PHP 5.5.0 Alpha 2
 
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index c933a48248..2c17182b9f 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1843,7 +1843,7 @@ ZEND_VM_HANDLER(39, ZEND_ASSIGN_REF, VAR|CV, VAR|CV)
 
 ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
 {
-	zend_bool nested;
+	zend_bool nested = EX(nested);
 	zend_op_array *op_array = EX(op_array);
 
 	EG(current_execute_data) = EX(prev_execute_data);
@@ -1852,14 +1852,12 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
 		i_free_compiled_variables(execute_data);
 	}
 
+	zend_vm_stack_free((char*)execute_data - (ZEND_MM_ALIGNED_SIZE(sizeof(temp_variable)) * op_array->T) TSRMLS_CC);
+
 	if ((op_array->fn_flags & ZEND_ACC_CLOSURE) && op_array->prototype) {
 		zval_ptr_dtor((zval**)&op_array->prototype);
 	}
 
-	nested = EX(nested);
-
-	zend_vm_stack_free((char*)execute_data - (ZEND_MM_ALIGNED_SIZE(sizeof(temp_variable)) * op_array->T) TSRMLS_CC);
-
 	if (nested) {
 		execute_data = EG(current_execute_data);
 	}
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index dab0df3540..c51df01c2d 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -383,7 +383,7 @@ ZEND_API void zend_execute(zend_op_array *op_array TSRMLS_DC)
 
 static int ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS)
 {
-	zend_bool nested;
+	zend_bool nested = EX(nested);
 	zend_op_array *op_array = EX(op_array);
 
 	EG(current_execute_data) = EX(prev_execute_data);
@@ -392,14 +392,12 @@ static int ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS)
 		i_free_compiled_variables(execute_data);
 	}
 
+	zend_vm_stack_free((char*)execute_data - (ZEND_MM_ALIGNED_SIZE(sizeof(temp_variable)) * op_array->T) TSRMLS_CC);
+
 	if ((op_array->fn_flags & ZEND_ACC_CLOSURE) && op_array->prototype) {
 		zval_ptr_dtor((zval**)&op_array->prototype);
 	}
 
-	nested = EX(nested);
-
-	zend_vm_stack_free((char*)execute_data - (ZEND_MM_ALIGNED_SIZE(sizeof(temp_variable)) * op_array->T) TSRMLS_CC);
-
 	if (nested) {
 		execute_data = EG(current_execute_data);
 	}