From 39f1f2fcd3985c904233e28e787ef36a500d03f2 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Sun, 28 Oct 2007 13:47:14 +0000
Subject: [PATCH] MFB: Fixed bug #42976 (Crash when constructor for
 newInstance() or newInstanceArgs() fails)

---
 NEWS                               |  2 ++
 ext/reflection/php_reflection.c    | 12 +++++++----
 ext/reflection/tests/bug42976.phpt | 34 ++++++++++++++++++++++++++++++
 3 files changed, 44 insertions(+), 4 deletions(-)
 create mode 100644 ext/reflection/tests/bug42976.phpt

diff --git a/NEWS b/NEWS
index 28996dc534..9e06e4fd4a 100644
--- a/NEWS
+++ b/NEWS
@@ -44,6 +44,8 @@ PHP                                                                        NEWS
   (Ilia)
 - Fixed bug #43020 (Warning message is missing with shuffle() and more
   than one argument). (Scott)
+- Fixed bug #42976 (Crash when constructor for newInstance() or 
+  newInstanceArgs() fails) (Ilia)
 - Fixed bug #42943 (ext/mssql: Move *timeout initialization from RINIT
   to connect time). (Ilia)
 - Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode).
diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
index 586f0764e8..35553b299f 100644
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@@ -3405,7 +3405,7 @@ ZEND_METHOD(reflection_class, isInstance)
    Returns an instance of this class */
 ZEND_METHOD(reflection_class, newInstance)
 {
-	zval *retval_ptr;
+	zval *retval_ptr = NULL;
 	reflection_object *intern;
 	zend_class_entry *ce;
 	int argc = ZEND_NUM_ARGS();
@@ -3449,7 +3449,9 @@ ZEND_METHOD(reflection_class, newInstance)
 
 		if (zend_call_function(&fci, &fcc TSRMLS_CC) == FAILURE) {
 			efree(params);
-			zval_ptr_dtor(&retval_ptr);
+			if (retval_ptr) {
+				zval_ptr_dtor(&retval_ptr);
+			}
 			zend_error(E_WARNING, "Invocation of %s's constructor failed", ce->name);
 			RETURN_NULL();
 		}
@@ -3469,7 +3471,7 @@ ZEND_METHOD(reflection_class, newInstance)
    Returns an instance of this class */
 ZEND_METHOD(reflection_class, newInstanceArgs)
 {
-	zval *retval_ptr;
+	zval *retval_ptr = NULL;
 	reflection_object *intern;
 	zend_class_entry *ce;
 	int argc = 0;
@@ -3524,7 +3526,9 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
 			if (params) {
 				efree(params);
 			}
-			zval_ptr_dtor(&retval_ptr);
+			if (retval_ptr) {
+				zval_ptr_dtor(&retval_ptr);
+			}
 			zend_error(E_WARNING, "Invocation of %s's constructor failed", ce->name);
 			RETURN_NULL();
 		}
diff --git a/ext/reflection/tests/bug42976.phpt b/ext/reflection/tests/bug42976.phpt
new file mode 100644
index 0000000000..38aed3a400
--- /dev/null
+++ b/ext/reflection/tests/bug42976.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails)
+--FILE--
+<?php
+
+Class C {
+	function __construct(&$x) {
+		$x = "x.changed";
+	}
+}
+
+$x = "x.original";
+new C($x); // OK
+var_dump($x);
+
+$rc = new ReflectionClass('C');
+$x = "x.original";
+$rc->newInstance($x); // causes crash
+var_dump($x);
+$x = "x.original";
+$rc->newInstanceArgs(array($x)); // causes crash	
+var_dump($x);
+
+echo "Done\n";
+?>
+--EXPECTF--	
+string(9) "x.changed"
+
+Warning: Invocation of C's constructor failed in %s/bug42976.php on line %d
+string(10) "x.original"
+
+Warning: Invocation of C's constructor failed in %s/bug42976.php on line %d
+string(10) "x.original"
+Done
-- 
2.40.0