From b9438a1ec7a2548e05b938f8034f74f9c7d490f0 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikic@php.net>
Date: Mon, 5 May 2014 19:56:05 +0200
Subject: [PATCH] Fix use after free for doc_comment persist

---
 ext/opcache/zend_persist.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ext/opcache/zend_persist.c b/ext/opcache/zend_persist.c
index 601849b012..ca3c1882d9 100644
--- a/ext/opcache/zend_persist.c
+++ b/ext/opcache/zend_persist.c
@@ -402,7 +402,12 @@ static void zend_persist_op_array_ex(zend_op_array *op_array, zend_persistent_sc
 
 	if (op_array->doc_comment) {
 		if (ZCG(accel_directives).save_comments) {
-			zend_accel_store_string(op_array->doc_comment);
+			if (already_stored) {
+				op_array->doc_comment = zend_shared_alloc_get_xlat_entry(op_array->doc_comment);
+				ZEND_ASSERT(op_array->doc_comment != NULL);
+			} else {
+				zend_accel_store_string(op_array->doc_comment);
+			}
 		} else {
 			if (!already_stored) {
 				STR_RELEASE(op_array->doc_comment);
-- 
2.40.0