From 9aa88b4ec88a954a628e407572ecf095e87c9c1e Mon Sep 17 00:00:00 2001
From: Antony Dovgal <tony2001@php.net>
Date: Mon, 26 Feb 2007 09:14:41 +0000
Subject: [PATCH] fix #40635 (segfault in cURL extension)

---
 NEWS            |  1 +
 ext/curl/curl.c | 15 +++++++++++----
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 6a72813172..97ab874f6d 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,7 @@ PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Feb 2007, Version 4.4.6
 
+- Fixed bug #40635 (segfault in cURL extension). (Tony)
 - Fixed bug #40611 (possible cURL memory error). (Tony)
 
 22 Feb 2007, Version 4.4.6RC1
diff --git a/ext/curl/curl.c b/ext/curl/curl.c
index f1fe9f502f..c47c560942 100644
--- a/ext/curl/curl.c
+++ b/ext/curl/curl.c
@@ -1266,8 +1266,9 @@ cleanup_handle(php_curl *ch)
 		return;
 	}
 
-	if (ch->handlers->write->buf.len) {
-		memset(&ch->handlers->write->buf, 0, sizeof(smart_str));
+	if (ch->handlers->write->buf.len > 0) {
+		smart_str_free(&ch->handlers->write->buf);
+		ch->handlers->write->buf.len = 0;
 	}
 
 	memset(ch->err.str, 0, CURL_ERROR_SIZE + 1);
@@ -1297,6 +1298,7 @@ PHP_FUNCTION(curl_exec)
 	if (error != CURLE_OK && error != CURLE_PARTIAL_FILE) {
 		if (ch->handlers->write->buf.len > 0) {
 			smart_str_free(&ch->handlers->write->buf);
+			ch->handlers->write->buf.len = 0;
 		}
 
 		RETURN_FALSE;
@@ -1306,9 +1308,10 @@ PHP_FUNCTION(curl_exec)
 
 	if (ch->handlers->write->method == PHP_CURL_RETURN && ch->handlers->write->buf.len > 0) {
 		--ch->uses;
-		if (ch->handlers->write->type != PHP_CURL_BINARY) 
+		if (ch->handlers->write->type != PHP_CURL_BINARY) { 
 			smart_str_0(&ch->handlers->write->buf);
-		RETURN_STRINGL(ch->handlers->write->buf.c, ch->handlers->write->buf.len, 0);
+		}
+		RETURN_STRINGL(ch->handlers->write->buf.c, ch->handlers->write->buf.len, 1);
 	}
 	--ch->uses;
 	if (ch->handlers->write->method == PHP_CURL_RETURN) {
@@ -1533,6 +1536,10 @@ static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC)
 	zend_llist_clean(&ch->to_free.slist);
 	zend_llist_clean(&ch->to_free.post);
 
+	if (ch->handlers->write->buf.len > 0) {
+		smart_str_free(&ch->handlers->write->buf);
+		ch->handlers->write->buf.len = 0;
+	}
 	if (ch->handlers->write->func) {
 		FREE_ZVAL(ch->handlers->write->func);
 		ch->handlers->read->func = NULL;
-- 
2.50.1