From 1027f0d978f3bad0019b6606165c5f03efeaea75 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Sat, 20 Sep 2014 12:46:05 +0200 Subject: [PATCH] Fix leak in foreach with by-ref iteration of ref array --- Zend/zend_vm_def.h | 4 +--- Zend/zend_vm_execute.h | 16 ++++------------ 2 files changed, 5 insertions(+), 15 deletions(-) diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index b4f8c83f1b..4015855568 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -4464,16 +4464,14 @@ ZEND_VM_HANDLER(77, ZEND_FE_RESET, CONST|TMP|VAR|CV, ANY) array_ptr = array_ref = GET_OP1_ZVAL_PTR_PTR(BP_VAR_R); ZVAL_DEREF(array_ptr); if (Z_TYPE_P(array_ptr) == IS_ARRAY) { + SEPARATE_ARRAY(array_ptr); if (!Z_ISREF_P(array_ref)) { - SEPARATE_ARRAY(array_ptr); array_ref = array_ptr; if (opline->extended_value & ZEND_FE_FETCH_BYREF) { ZVAL_NEW_REF(array_ptr, array_ptr); array_ref = array_ptr; array_ptr = Z_REFVAL_P(array_ptr); } - } else if (Z_IMMUTABLE_P(array_ptr) || Z_REFCOUNT_P(array_ptr) > 1) { - zval_copy_ctor(array_ptr); } if (Z_REFCOUNTED_P(array_ref)) Z_ADDREF_P(array_ref); } else if (Z_TYPE_P(array_ptr) == IS_OBJECT) { diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index d575db0018..e236fa6470 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -3069,16 +3069,14 @@ static int ZEND_FASTCALL ZEND_FE_RESET_SPEC_CONST_HANDLER(ZEND_OPCODE_HANDLER_A array_ptr = array_ref = NULL; ZVAL_DEREF(array_ptr); if (Z_TYPE_P(array_ptr) == IS_ARRAY) { + SEPARATE_ARRAY(array_ptr); if (!Z_ISREF_P(array_ref)) { - SEPARATE_ARRAY(array_ptr); array_ref = array_ptr; if (opline->extended_value & ZEND_FE_FETCH_BYREF) { ZVAL_NEW_REF(array_ptr, array_ptr); array_ref = array_ptr; array_ptr = Z_REFVAL_P(array_ptr); } - } else if (Z_IMMUTABLE_P(array_ptr) || Z_REFCOUNT_P(array_ptr) > 1) { - zval_copy_ctor(array_ptr); } if (Z_REFCOUNTED_P(array_ref)) Z_ADDREF_P(array_ref); } else if (Z_TYPE_P(array_ptr) == IS_OBJECT) { @@ -9789,16 +9787,14 @@ static int ZEND_FASTCALL ZEND_FE_RESET_SPEC_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARG array_ptr = array_ref = NULL; ZVAL_DEREF(array_ptr); if (Z_TYPE_P(array_ptr) == IS_ARRAY) { + SEPARATE_ARRAY(array_ptr); if (!Z_ISREF_P(array_ref)) { - SEPARATE_ARRAY(array_ptr); array_ref = array_ptr; if (opline->extended_value & ZEND_FE_FETCH_BYREF) { ZVAL_NEW_REF(array_ptr, array_ptr); array_ref = array_ptr; array_ptr = Z_REFVAL_P(array_ptr); } - } else if (Z_IMMUTABLE_P(array_ptr) || Z_REFCOUNT_P(array_ptr) > 1) { - zval_copy_ctor(array_ptr); } if (Z_REFCOUNTED_P(array_ref)) Z_ADDREF_P(array_ref); } else if (Z_TYPE_P(array_ptr) == IS_OBJECT) { @@ -16424,16 +16420,14 @@ static int ZEND_FASTCALL ZEND_FE_RESET_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARG array_ptr = array_ref = _get_zval_ptr_ptr_var(opline->op1.var, execute_data, &free_op1 TSRMLS_CC); ZVAL_DEREF(array_ptr); if (Z_TYPE_P(array_ptr) == IS_ARRAY) { + SEPARATE_ARRAY(array_ptr); if (!Z_ISREF_P(array_ref)) { - SEPARATE_ARRAY(array_ptr); array_ref = array_ptr; if (opline->extended_value & ZEND_FE_FETCH_BYREF) { ZVAL_NEW_REF(array_ptr, array_ptr); array_ref = array_ptr; array_ptr = Z_REFVAL_P(array_ptr); } - } else if (Z_IMMUTABLE_P(array_ptr) || Z_REFCOUNT_P(array_ptr) > 1) { - zval_copy_ctor(array_ptr); } if (Z_REFCOUNTED_P(array_ref)) Z_ADDREF_P(array_ref); } else if (Z_TYPE_P(array_ptr) == IS_OBJECT) { @@ -33854,16 +33848,14 @@ static int ZEND_FASTCALL ZEND_FE_RESET_SPEC_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS array_ptr = array_ref = _get_zval_ptr_cv_BP_VAR_R(execute_data, opline->op1.var TSRMLS_CC); ZVAL_DEREF(array_ptr); if (Z_TYPE_P(array_ptr) == IS_ARRAY) { + SEPARATE_ARRAY(array_ptr); if (!Z_ISREF_P(array_ref)) { - SEPARATE_ARRAY(array_ptr); array_ref = array_ptr; if (opline->extended_value & ZEND_FE_FETCH_BYREF) { ZVAL_NEW_REF(array_ptr, array_ptr); array_ref = array_ptr; array_ptr = Z_REFVAL_P(array_ptr); } - } else if (Z_IMMUTABLE_P(array_ptr) || Z_REFCOUNT_P(array_ptr) > 1) { - zval_copy_ctor(array_ptr); } if (Z_REFCOUNTED_P(array_ref)) Z_ADDREF_P(array_ref); } else if (Z_TYPE_P(array_ptr) == IS_OBJECT) { -- 2.40.0