From e2230c17d3e17981c739cb858bc78d47d2365836 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Tue, 16 Aug 2016 21:04:31 +0200 Subject: [PATCH] Fix bug #72854 --- NEWS | 1 + Zend/tests/bug72854.phpt | 18 ++++++++++++++++++ Zend/zend_execute.c | 4 +++- 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 Zend/tests/bug72854.phpt diff --git a/NEWS b/NEWS index f58aa0b8603..d17a9365a40 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,7 @@ PHP NEWS . Fixed bug #72813 (Segfault with __get returned by ref). (Laruence) . Fixed bug #72767 (PHP Segfaults when trying to expand an infinite operator). (Nikita) + . Fixed bug #72854 (PHP Crashes on duplicate destructor call). (Nikita) - FTP: . Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with diff --git a/Zend/tests/bug72854.phpt b/Zend/tests/bug72854.phpt new file mode 100644 index 00000000000..74139c7ebc1 --- /dev/null +++ b/Zend/tests/bug72854.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #72854: PHP Crashes on duplicate destructor call +--FILE-- +prop = $t; + return $t; +} + +$i = 42; +get()->prop =& $i; + +?> +===DONE=== +--EXPECT-- +===DONE=== diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index 1012b3cc4fc..a2ef9c3f4de 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -576,6 +576,7 @@ static inline zval *_get_obj_zval_ptr_ptr(int op_type, znode_op node, zend_execu static inline void zend_assign_to_variable_reference(zval *variable_ptr, zval *value_ptr) { zend_reference *ref; + zval garbage; if (EXPECTED(!Z_ISREF_P(value_ptr))) { ZVAL_NEW_REF(value_ptr, value_ptr); @@ -585,8 +586,9 @@ static inline void zend_assign_to_variable_reference(zval *variable_ptr, zval *v ref = Z_REF_P(value_ptr); GC_REFCOUNT(ref)++; - zval_ptr_dtor(variable_ptr); + ZVAL_COPY_VALUE(&garbage, variable_ptr); ZVAL_REF(variable_ptr, ref); + zval_ptr_dtor(&garbage); } /* this should modify object only if it's empty */