From 77fffff15762137e2d8173df9b733b4cb70fc996 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Tue, 21 May 2013 09:58:11 +0400
Subject: [PATCH] Fixed bug #64720 (SegFault on zend_deactivate)

---
 NEWS                        |  1 +
 Zend/tests/bug64720.phpt    | 48 +++++++++++++++++++++++++++++++++++++
 Zend/zend_object_handlers.c |  8 +++++++
 Zend/zend_opcode.c          |  3 ++-
 4 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/bug64720.phpt

diff --git a/NEWS b/NEWS
index 9910c7c41c..5bf6872bc2 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2013, PHP 5.4.16
 
 - Core:
+  . Fixed bug #64720 (SegFault on zend_deactivate). (Dmitry)
   . Fixed bug #64729 (compilation failure on x32). (Gustavo)
   . Fixed bug #64660 (Segfault on memory exhaustion within function definition).
     (Stas, reported by Juha KylmÃ¤nen)
diff --git a/Zend/tests/bug64720.phpt b/Zend/tests/bug64720.phpt
new file mode 100644
index 0000000000..6c33165bb5
--- /dev/null
+++ b/Zend/tests/bug64720.phpt
@@ -0,0 +1,48 @@
+--TEST--
+Bug #64720 (SegFault on zend_deactivate)
+--FILE--
+<?php
+class Stat {
+    private static $requests;
+    public static function getInstance() {
+        if (!isset(self::$requests[1])) {
+            self::$requests[1] = new self();
+        }
+        return self::$requests[1];
+    }
+    
+    public function __destruct() {
+        unset(self::$requests[1]);
+    }
+}
+
+class Foo {
+    public function __construct() {
+        Stat::getInstance();
+    }
+}
+
+class Error {
+    private $trace;
+    public function __construct() {
+        $this->trace = debug_backtrace(1);
+    }
+}
+
+class Bar {
+    public function __destruct() {
+        Stat::getInstance();
+        new Error();
+    }
+
+    public function test() {
+        new Error();
+    }
+}
+
+$foo = new Foo();
+$bar = new Bar();
+$bar->test();
+?>
+--EXPECTF--
+Fatal error: Access to undeclared static property: Stat::$requests in %sbug64720.php on line 12
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index cc45d35ecd..c2bb056a9a 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -1278,6 +1278,14 @@ ZEND_API zval **zend_std_get_static_property(zend_class_entry *ce, const char *p
 		}
 	}
 
+	if (UNEXPECTED(CE_STATIC_MEMBERS(ce) == NULL) ||
+	    UNEXPECTED(CE_STATIC_MEMBERS(ce)[property_info->offset] == NULL)) {
+		if (!silent) {
+			zend_error_noreturn(E_ERROR, "Access to undeclared static property: %s::$%s", ce->name, property_name);
+		}
+		return NULL;
+	}
+	
 	return &CE_STATIC_MEMBERS(ce)[property_info->offset];
 }
 /* }}} */
diff --git a/Zend/zend_opcode.c b/Zend/zend_opcode.c
index e673f0197c..695b651a87 100644
--- a/Zend/zend_opcode.c
+++ b/Zend/zend_opcode.c
@@ -162,8 +162,9 @@ static inline void cleanup_user_class_data(zend_class_entry *ce TSRMLS_DC)
 
 		for (i = 0; i < ce->default_static_members_count; i++) {
 			if (ce->static_members_table[i]) {
-				zval_ptr_dtor(&ce->static_members_table[i]);
+				zval *p = ce->static_members_table[i];
 				ce->static_members_table[i] = NULL;
+				zval_ptr_dtor(&p);
 			}
 		}
 		ce->static_members_table = NULL;
-- 
2.40.0