From a7c91fec3ad83cb6b985b0e4eb3677c4347a18ac Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Tue, 27 Sep 2005 18:08:26 +0000 Subject: [PATCH] Fixed bug #34617 (zend_deactivate: objects_store used after zend_objects_store_destroy is called) --- Zend/tests/bug34617.phpt | 18 ++++++++++++++++++ Zend/zend_objects_API.c | 12 ++++++++++-- 2 files changed, 28 insertions(+), 2 deletions(-) create mode 100755 Zend/tests/bug34617.phpt diff --git a/Zend/tests/bug34617.phpt b/Zend/tests/bug34617.phpt new file mode 100755 index 0000000000..23c43c4f9f --- /dev/null +++ b/Zend/tests/bug34617.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #34617 (zend_deactivate: objects_store used after zend_objects_store_destroy is called) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +ok \ No newline at end of file diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c index ab62dcfe48..74caaba5fa 100644 --- a/Zend/zend_objects_API.c +++ b/Zend/zend_objects_API.c @@ -38,6 +38,7 @@ ZEND_API void zend_objects_store_init(zend_objects_store *objects, zend_uint ini ZEND_API void zend_objects_store_destroy(zend_objects_store *objects) { efree(objects->object_buckets); + objects->object_buckets = NULL; } ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects TSRMLS_DC) @@ -138,8 +139,15 @@ ZEND_API void zend_objects_store_add_ref(zval *object TSRMLS_DC) ZEND_API void zend_objects_store_del_ref(zval *zobject TSRMLS_DC) { - zend_object_handle handle = Z_OBJ_HANDLE_P(zobject); - struct _store_object *obj = &EG(objects_store).object_buckets[handle].bucket.obj; + zend_object_handle handle; + struct _store_object *obj; + + if (!EG(objects_store).object_buckets) { + return; + } + + handle = Z_OBJ_HANDLE_P(zobject); + obj = &EG(objects_store).object_buckets[handle].bucket.obj; /* Make sure we hold a reference count during the destructor call otherwise, when the destructor ends the storage might be freed -- 2.50.1