[PHP-CVS] cvs: php-src /tests/lang bug25922.phpt ZendEngine2 zend.c

Wed, 22 Oct 2003 16:41:42 -0700 

iliaa           Wed Oct 22 19:42:56 2003 EDT

  Added files:                 
    /php-src/tests/lang bug25922.phpt 

  Modified files:              
    /ZendEngine2        zend.c 
  Log:
  Fixed bug #25922 (Crash in error handler when 5th argument is modified).
  
  
Index: ZendEngine2/zend.c
diff -u ZendEngine2/zend.c:1.252 ZendEngine2/zend.c:1.253
--- ZendEngine2/zend.c:1.252    Mon Sep 22 00:21:44 2003
+++ ZendEngine2/zend.c  Wed Oct 22 19:42:54 2003
@@ -17,7 +17,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: zend.c,v 1.252 2003/09/22 04:21:44 iliaa Exp $ */
+/* $Id: zend.c,v 1.253 2003/10/22 23:42:54 iliaa Exp $ */
 
 #include "zend.h"
 #include "zend_extensions.h"
@@ -840,7 +840,6 @@
        zval ***params;
        zval *retval;
        zval *z_error_type, *z_error_message, *z_error_filename, *z_error_lineno, 
*z_context;
-       zval lz_context;
        char *error_filename;
        uint error_lineno;
        zval *orig_user_error_handler;
@@ -903,6 +902,7 @@
                        ALLOC_INIT_ZVAL(z_error_type);
                        ALLOC_INIT_ZVAL(z_error_filename);
                        ALLOC_INIT_ZVAL(z_error_lineno);
+                       ALLOC_INIT_ZVAL(z_context);
 
                        z_error_message->value.str.len = 
zend_vspprintf(&z_error_message->value.str.val, 0, format, args);
                        z_error_message->type = IS_STRING;
@@ -919,11 +919,9 @@
                        z_error_lineno->value.lval = error_lineno;
                        z_error_lineno->type = IS_LONG;
 
-                       lz_context.value.ht = EG(active_symbol_table);
-                       lz_context.type = IS_ARRAY;
-                       lz_context.is_ref = 1;
-                       lz_context.refcount = 2; /* we don't want this one to be freed 
*/
-                       z_context = &lz_context;
+                       z_context->value.ht = EG(active_symbol_table);
+                       z_context->type = IS_ARRAY;
+                       ZVAL_ADDREF(z_context); /* we don't want this one to be freed 
*/
 
                        params = (zval ***) emalloc(sizeof(zval **)*5);
                        params[0] = &z_error_type;
@@ -949,7 +947,9 @@
                        zval_ptr_dtor(&z_error_type);
                        zval_ptr_dtor(&z_error_filename);
                        zval_ptr_dtor(&z_error_lineno);
-                       ZVAL_DELREF(z_context);
+                       if (ZVAL_REFCOUNT(z_context) == 2) {
+                               FREE_ZVAL(z_context);
+                       }
                        break;
        }
 

Index: php-src/tests/lang/bug25922.phpt
+++ php-src/tests/lang/bug25922.phpt
--TEST--
Bug #25922 (SEGV in error_handler when context is destroyed)
--INI--
error_reporting=2047
--FILE--
<?php
function my_error_handler($error, $errmsg='', $errfile='', $errline=0, $errcontext='')
{
        $errcontext = '';
}
                                                                                       
 
set_error_handler('my_error_handler');

function test()
{
        echo "Undefined index here: '{$data['HTTP_HEADER']}'\n";
}
test();
?>
--EXPECT--
Undefined index here: ''

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to