Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:15847
Return-Path: <kameshj@fastmail.fm>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 43909 invoked by uid 1010); 6 Apr 2005 07:18:39 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 43894 invoked from network); 6 Apr 2005 07:18:39 -0000
Received: from unknown (HELO fastmail.fm) (127.0.0.1)
  by localhost with SMTP; 6 Apr 2005 07:18:39 -0000
X-Host-Fingerprint: 66.111.4.25 out1.smtp.messagingengine.com  
Received: from ([66.111.4.25:36394] helo=out1.smtp.messagingengine.com)
	by pb1.pair.com (ecelerity HEAD r(5268)) with SMTP
	id B9/6F-19272-F4D83524 for <internals@lists.php.net>; Wed, 06 Apr 2005 03:18:39 -0400
Received: from web2.messagingengine.com (web2.internal [10.202.2.211])
	by frontend1.messagingengine.com (Postfix) with ESMTP id 0CC2BC7101F;
	Wed,  6 Apr 2005 03:18:37 -0400 (EDT)
Received: by web2.messagingengine.com (Postfix, from userid 99)
	id 70B782720; Wed,  6 Apr 2005 03:18:35 -0400 (EDT)
Message-ID: <1112771915.21486.231222681@webmail.messagingengine.com>
X-Sasl-Enc: dCqJ5eu+sJB0ijbSnDaU8XUjUHMGZGdAMwiCKQ5BlpN8 1112771915
To: "Derick Rethans" <derick@php.net>
Cc: internals@lists.php.net
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
X-Mailer: MIME::Lite 1.5  (F2.73; T1.001; A1.64; B3.05; Q3.03)
References: <1112771633.21209.231222484@webmail.messagingengine.com>
	<Pine.LNX.4.62.0504060915520.4513@localhost>
In-Reply-To: <Pine.LNX.4.62.0504060915520.4513@localhost>
Date: Wed, 06 Apr 2005 00:18:35 -0700
Subject: Re: [PHP-DEV] refcount and hence double free issue
From: kameshj@fastmail.fm ("Kamesh Jayachandran")

It happens in php-5.0.4 also.

With regards
Kamesh Jayachandran
On Wed, 6 Apr 2005 09:16:34 +0200 (CEST), "Derick Rethans"
<derick@php.net> said:
> On Wed, 6 Apr 2005, Kamesh Jayachandran wrote:
> 
> > Hi All,
> > I have come across a double free because of improper refcount
> > manipulation.
> > <?php
> > class MyTextSanitizer
> > {
> >     var $smileys=array()
> >     function MyTextSanitizer() {}
> >     function getSmileys()
> >     {
> >         return $this->smileys;
> >     }
> > }
> > $myts = new MyTextSanitizer();
> > $smiles =& $myts->getSmileys(); //calling by ref alone causes improper
> > refcount 
> > $smiles = $myts->getSmileys(); //this does not cause improper refcount 
> > ?>
> 
> This fact is known, Marcus and I have a working patch for this - but 
> it'll break binairy compat for PHP 4.4 - stay tuned for this.
> 
> regards,
> Derick
> 
> -- 
> Derick Rethans
> http://derickrethans.nl | http://ez.no | http://xdebug.org