Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:10241
Return-Path: <sesser@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 92698 invoked by uid 1010); 2 Jun 2004 11:41:24 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 92663 invoked from network); 2 Jun 2004 11:41:24 -0000
Received: from unknown (HELO e-matters.de) (217.69.76.213)
  by pb1.pair.com with SMTP; 2 Jun 2004 11:41:24 -0000
Received: (qmail 14385 invoked by uid 0); 2 Jun 2004 11:37:02 -0000
Received: from p508d7424.dip.t-dialin.net (HELO ?192.168.1.77?) (80.141.116.36)
  by /var/run/qmail-smtp.pid with SMTP; 2 Jun 2004 11:37:02 -0000
Message-ID: <40BDBD4D.4050905@php.net>
Date: Wed, 02 Jun 2004 13:43:09 +0200
User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To:  internals@lists.php.net
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: ZendEngine 2 - Double Free BUG
From: sesser@php.net (Stefan Esser)

Hi,

I ported Hardened-PHP to PHP5 yesterday night and got into the problem 
that there were some crashes. While one of the crashes is a problem in 
the port (at least I guess so), the other one was a detected double 
efree() in __set__get_001.phpt

I tracked this double free down to

static void zend_post_incdec_property(...)

where z is passed to

Z_OBJ_HT_P(object)->write_property(object, property, z TSRMLS_CC);

within this function z is freed and

                if (z->refcount == 0) {
                         zval_dtor(z);
                         FREE_ZVAL(z);
                 }

will free it again.

I fixed this by adding a z->refcount++ after
*retval = *z; but I do not know if this is the correct place,
because I am not really into ZE2 internals.

Stefan Esser