From 42add0f2e1d64ec16f265f80702a1c58fa0f1c23 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Johannes=20Schl=C3=BCter?= <johannes@php.net>
Date: Fri, 21 Dec 2007 20:58:11 +0000
Subject: [PATCH] - MFH: Fix #43450 (Memory leak on some functions with
 implicit object   __toString() call) (Davic C.)

---
 NEWS                        |  2 ++
 Zend/tests/bug43450.phpt    | 35 +++++++++++++++++++++++++++++++++++
 Zend/zend_object_handlers.c | 14 ++++++++++++++
 3 files changed, 51 insertions(+)
 create mode 100644 Zend/tests/bug43450.phpt

diff --git a/NEWS b/NEWS
index 5246b7f1d5..beef61b52c 100644
--- a/NEWS
+++ b/NEWS
@@ -23,6 +23,8 @@ PHP                                                                        NEWS
   (Ilia)
 - Fixed bug #43457 (Prepared statement with incorrect parms doesn't throw 
   exception with pdo_pgsql driver). (Ilia)
+- Fixed bug #43450 (Memory leak on some functions with implicit object 
+  __toString() call). (Davic C.)
 - Fixed bug #43386 (array_globals not reset to 0 properly on init). (Ilia)
 - Fixed bug #43377 (PHP crashes with invalid argument for DateTimeZone). (Ilia)
 - Fixed bug #43373 (pcntl_fork() should not raise E_ERROR on error). (Ilia)
diff --git a/Zend/tests/bug43450.phpt b/Zend/tests/bug43450.phpt
new file mode 100644
index 0000000000..926e146f4e
--- /dev/null
+++ b/Zend/tests/bug43450.phpt
@@ -0,0 +1,35 @@
+--TEST--
+Bug #43450 (Memory leak on some functions with implicit object __toString() call)
+--SKIPIF--
+<?php if (!function_exists('memory_get_usage')) die('memory_get_usage() not installed'); ?>
+--FILE--
+<?php
+error_reporting(E_ALL|E_STRICT);
+
+class Foo 
+{
+    public function __toString()
+	{
+	    return __CLASS__;
+	}
+}
+
+$num_repeats = 100000;
+
+$start = (memory_get_usage() / 1024) + 16;
+for ($i=1;$i<$num_repeats;$i++) 
+{
+	$foo = new Foo();
+	md5($foo);
+}
+$end = memory_get_peak_usage() / 1024;
+
+if ($start < $end) {
+	echo 'FAIL';
+} else {
+	echo 'PASS';
+}
+
+?>
+--EXPECT--
+PASS
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index ea96ccad38..85f4f9b4e6 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -1105,6 +1105,9 @@ ZEND_API int zend_std_cast_object_tostring(zval *readobj, zval *writeobj, int ty
                 }
 				if (Z_TYPE_P(retval) == IS_STRING) {
 					INIT_PZVAL(writeobj);
+					if (readobj == writeobj) {
+						zval_dtor(readobj);
+					}
 					ZVAL_ZVAL(writeobj, retval, 1, 1);
 					if (Z_TYPE_P(writeobj) != type) {
 						convert_to_explicit_type(writeobj, type);
@@ -1113,6 +1116,9 @@ ZEND_API int zend_std_cast_object_tostring(zval *readobj, zval *writeobj, int ty
 				} else {
 					zval_ptr_dtor(&retval);
 					INIT_PZVAL(writeobj);
+					if (readobj == writeobj) {
+						zval_dtor(readobj);
+					}
 					ZVAL_EMPTY_STRING(writeobj);
 					zend_error(E_RECOVERABLE_ERROR, "Method %s::__toString() must return a string value", ce->name);
 					return SUCCESS;
@@ -1127,15 +1133,23 @@ ZEND_API int zend_std_cast_object_tostring(zval *readobj, zval *writeobj, int ty
 			ce = Z_OBJCE_P(readobj);
 			zend_error(E_NOTICE, "Object of class %s could not be converted to int", ce->name);
 			INIT_PZVAL(writeobj);
+			if (readobj == writeobj) {
+				zval_dtor(readobj);
+			}
 			ZVAL_LONG(writeobj, 1);
 			return SUCCESS;
 		case IS_DOUBLE:
 			ce = Z_OBJCE_P(readobj);
 			zend_error(E_NOTICE, "Object of class %s could not be converted to double", ce->name);
 			INIT_PZVAL(writeobj);
+			if (readobj == writeobj) {
+				zval_dtor(readobj);
+			}
 			ZVAL_DOUBLE(writeobj, 1);
 			return SUCCESS;
 		default:
+			INIT_PZVAL(writeobj);
+			Z_TYPE_P(writeobj) = IS_NULL;
 			break;
 	}
 	return FAILURE;
-- 
2.40.0