From eb1ada852dcb5490a6e899e85de0bde63f1a5bfc Mon Sep 17 00:00:00 2001
From: =?utf8?q?Gustavo=20Andr=C3=A9=20dos=20Santos=20Lopes?=
 <cataphract@php.net>
Date: Wed, 22 Feb 2012 11:45:26 +0000
Subject: [PATCH] - Fixed bug #61115 (stream related segfault on fatal error in
   php_stream_context_link). #run-tests.php is not currently detecting the
 segfault in the test #Missing 5.4 merge

---
 NEWS                                     |  2 ++
 ext/standard/tests/streams/bug61115.phpt | 13 +++++++++++++
 main/streams/streams.c                   |  8 +++++---
 3 files changed, 20 insertions(+), 3 deletions(-)
 create mode 100644 ext/standard/tests/streams/bug61115.phpt

diff --git a/NEWS b/NEWS
index e08776fa84..a30382c589 100644
--- a/NEWS
+++ b/NEWS
@@ -29,6 +29,8 @@ PHP                                                                        NEWS
   . Fixed bug #60802 (ibase_trans() gives segfault when passing params).
 
 - Streams:
+  . Fixed bug #61115 (stream related segfault on fatal error in
+    php_stream_context_link). (Gustavo)
   . Further fix for bug #60455 (stream_get_line misbehaves if EOF is not detected
     together with the last read). (Gustavo)
   . Fixed bug #60817 (stream_get_line() reads from stream even when there is
diff --git a/ext/standard/tests/streams/bug61115.phpt b/ext/standard/tests/streams/bug61115.phpt
new file mode 100644
index 0000000000..29dc7c1ccc
--- /dev/null
+++ b/ext/standard/tests/streams/bug61115.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #61115: Stream related segfault on fatal error in php_stream_context_del_link.
+--FILE--
+<?php
+
+$arrayLarge = array_fill(0, 113663, '*');
+
+$resourceFileTemp = fopen('php://temp', 'r+');
+stream_context_set_params($resourceFileTemp, array());
+preg_replace('', function() {}, $resourceFileTemp);
+?>
+--EXPECTF--
+Catchable fatal error: Object of class Closure could not be converted to string in %s on line %d
diff --git a/main/streams/streams.c b/main/streams/streams.c
index af9f49f451..39e2976518 100755
--- a/main/streams/streams.c
+++ b/main/streams/streams.c
@@ -320,7 +320,9 @@ PHPAPI int _php_stream_free(php_stream *stream, int close_options TSRMLS_DC) /*
 	int remove_rsrc = 1;
 	int preserve_handle = close_options & PHP_STREAM_FREE_PRESERVE_HANDLE ? 1 : 0;
 	int release_cast = 1;
-	php_stream_context *context = stream->context;
+	/* on an unclean shutdown, the context may have already been freed (if it
+	 * was created after the stream resource), so don't reference it */
+	php_stream_context *context = CG(unclean_shutdown) ? NULL : stream->context;
 
 	if (stream->flags & PHP_STREAM_FLAG_NO_CLOSE) {
 		preserve_handle = 1;
@@ -374,8 +376,8 @@ fprintf(stderr, "stream_free: %s:%p[%s] preserve_handle=%d release_cast=%d remov
 	}
 
 	/* Remove stream from any context link list */
-	if (stream->context && stream->context->links) {
-		php_stream_context_del_link(stream->context, stream);
+	if (context && context->links) {
+		php_stream_context_del_link(context, stream);
 	}
 
 	if (close_options & PHP_STREAM_FREE_CALL_DTOR) {
-- 
2.50.1