On 08/07/2011 01:31 PM, Stas Malyshev wrote:
> Hi!
>
> On 8/7/11 8:24 AM, Rasmus Lerdorf wrote:
>> True, but the problem here is that name may be free'ed at that point. On
>> line 3355 we have:
>>
>> property_info.name = (char*)name;
>>
>> and then on 3365:
>>
>> if (ce->type == ZEND_USER_CLASS) {
>> efree(property_info.name);
>> } else {
>> free(property_info.name);
>> }
>> property_info.name = interned_name;
>>
>> So property_info.name is set to the interned_name at that point, but the
>> original name char* is pointing to free'd storage which is then used in
>> that hash update.
>
> I don't think it can be. Only non-interned string is freed, and
> property_info.name = (char*)name is executed only for interned strings.
Yeah, I think Felipe and I came to the same conclusion eventually. But
it definitely isn't obvious from the code. We should probably comment that.
-Rasmus
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
