MFH: Fix bug #61165 (Segfault - strip_tags())

NEWS

@@ -4,6 +4,7 @@ PHP                                                                        NEWS
 
 - Core:
   . Fixed bug #61225 (Incorect lexing of 0b00*+<NUM>). (Pierrick)
+  . Fixed bug #61165 (Segfault - strip_tags()). (Laruence)
 
 - Standard:
   . Fixed memory leak in substr_replace. (Pierrick)

Zend/tests/bug61165.phpt

@@ -0,0 +1,28 @@
+--TEST--
+Bug #61165 (Segfault - strip_tags())
+--FILE--
+<?php
+
+$handler = NULL;
+class T {
+    public $_this;
+
+    public function __toString() {
+		global $handler;
+	    $handler = $this;
+        $this->_this = $this; // <-- uncoment this
+        return 'A';
+    }
+}
+
+$t = new T;
+for ($i = 0; $i < 3; $i++) {
+    strip_tags($t);
+	strip_tags(new T);
+}
+var_dump($handler);
+--EXPECTF--
+object(T)#%d (1) {
+  ["_this"]=>
+  *RECURSION*
+}

Zend/zend_API.c

@@ -262,12 +262,16 @@ ZEND_API int zend_get_object_classname(const zval *object, const char **class_na
 static int parse_arg_object_to_string(zval **arg, char **p, int *pl, int type TSRMLS_DC) /* {{{ */
 {
 	if (Z_OBJ_HANDLER_PP(arg, cast_object)) {
-		SEPARATE_ZVAL_IF_NOT_REF(arg);
-		if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, type TSRMLS_CC) == SUCCESS) {
+		zval *obj;
+		MAKE_STD_ZVAL(obj);
+		if (Z_OBJ_HANDLER_P(*arg, cast_object)(*arg, obj, type TSRMLS_CC) == SUCCESS) {
+			zval_ptr_dtor(arg);
+			*arg = obj;
 			*pl = Z_STRLEN_PP(arg);
 			*p = Z_STRVAL_PP(arg);
 			return SUCCESS;
 		}
+		efree(obj);
 	}
 	/* Standard PHP objects */
 	if (Z_OBJ_HT_PP(arg) == &std_object_handlers || !Z_OBJ_HANDLER_PP(arg, cast_object)) {