mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-12-18 22:41:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix double free if post inc of typed property throws

Browse Source 
We either need to add an extra ref because the copy is used as the
retval, which is freed by HANDLE_EXCEPTION, or we need to undef it
(done here).
This commit is contained in:
Nikita Popov 2019-02-08 12:43:11 +01:00
parent a9d4caeece
commit 0d4471fd28
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Zend/zend_execute.c
View File

@ -1680,6 +1680,7 @@ static void zend_incdec_typed_ref(zend_reference *ref, zval *copy, int inc EXECU
} else if (UNEXPECTED(!zend_verify_ref_assignable_zval(ref, var_ptr, EX_USES_STRICT_TYPES()))) {
zval_ptr_dtor(var_ptr);
ZVAL_COPY_VALUE(var_ptr, copy);
ZVAL_UNDEF(copy);
} else if (copy == &tmp) {
zval_ptr_dtor(&tmp);
}
@ -1707,6 +1708,7 @@ static void zend_incdec_typed_prop(zend_property_info *prop_info, zval *var_ptr,
} else if (UNEXPECTED(!zend_verify_property_type(prop_info, var_ptr, EX_USES_STRICT_TYPES()))) {
zval_ptr_dtor(var_ptr);
ZVAL_COPY_VALUE(var_ptr, copy);
ZVAL_UNDEF(copy);
} else if (copy == &tmp) {
zval_ptr_dtor(&tmp);
}