From 4e2c0bc9050c8a676adb2efb1f17c03cf045f250 Mon Sep 17 00:00:00 2001
From: Antony Dovgal <tony2001@php.net>
Date: Wed, 11 Feb 2009 09:58:23 +0000
Subject: [PATCH] MFH: fix bug #47353 (crash when creating a lot of objects in
 object destructor)

---
 Zend/zend_objects_API.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c
index 2137a4d977..c339b84742 100644
--- a/Zend/zend_objects_API.c
+++ b/Zend/zend_objects_API.c
@@ -55,6 +55,7 @@ ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects TS
 				if (obj->dtor && obj->object) {
 					obj->refcount++;
 					obj->dtor(obj->object, i TSRMLS_CC);
+					obj = &objects->object_buckets[i].bucket.obj;
 					obj->refcount--;
 				}
 			}
@@ -208,6 +209,10 @@ ZEND_API void zend_objects_store_del_ref_by_handle_ex(zend_object_handle handle,
 					} zend_end_try();
 				}
 			}
+			
+			/* re-read the object from the object store as the store might have been reallocated in the dtor */
+			obj = &EG(objects_store).object_buckets[handle].bucket.obj;
+
 			if (obj->refcount == 1) {
 				GC_REMOVE_ZOBJ_FROM_BUFFER(obj);
 				if (obj->free_storage) {
@@ -251,6 +256,7 @@ ZEND_API zend_object_value zend_objects_store_clone_obj(zval *zobject TSRMLS_DC)
 	}
 
 	obj->clone(obj->object, &new_object TSRMLS_CC);
+	obj = &EG(objects_store).object_buckets[handle].bucket.obj;
 
 	retval.handle = zend_objects_store_put(new_object, obj->dtor, obj->free_storage, obj->clone TSRMLS_CC);
 	retval.handlers = Z_OBJ_HT_P(zobject);
-- 
2.40.0