Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:7059
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Date: Tue, 13 Jan 2004 15:03:30 -0500
To: internals@lists.php.net
Message-ID: <20040113200330.GE23361@bumblebury.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="b5gNqxB1S1yM7hjW"
Content-Disposition: inline
User-Agent: Mutt/1.5.4i
Subject: fix for bug #26696
From: sterling@php.net (Sterling Hughes)

--b5gNqxB1S1yM7hjW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hey,

I've attached a fix for an engine level crash in switch() when it is
used with string offsets.  This eliminates a double-free and valgrind
reports that no new leaks have been introduced.

-Sterling

--b5gNqxB1S1yM7hjW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="switch_crash.diff"

Index: zend_execute.c
===================================================================
RCS file: /repository/ZendEngine2/zend_execute.c,v
retrieving revision 1.582
diff -u -r1.582 zend_execute.c
--- zend_execute.c	8 Jan 2004 17:31:47 -0000	1.582
+++ zend_execute.c	13 Jan 2004 19:58:18 -0000
@@ -194,13 +194,7 @@
 {
 	switch (opline->op1.op_type) {
 		case IS_VAR:
-			if (!T(opline->op1.u.var).var.ptr_ptr) {
-				temp_variable *T = &T(opline->op1.u.var);
-				/* perform the equivalent of equivalent of a
-				 * quick & silent get_zval_ptr, and FREE_OP
-				 */
-				PZVAL_UNLOCK(T->var.str_offset.str);
-			} else {
+			if (T(opline->op1.u.var).var.ptr_ptr) {
 				zval_ptr_dtor(&T(opline->op1.u.var).var.ptr);
 				if (opline->extended_value) { /* foreach() free */
 					zval_ptr_dtor(&T(opline->op1.u.var).var.ptr);

--b5gNqxB1S1yM7hjW--