MFB: Fixed bug #42976 (Crash when constructor for newInstance() or

19 years ago · 39f1f2fcd3
3 changed files with 44 additions and 4 deletions
--- a/2
+++ b/2
@ -44,6 +44,8 @@ PHP                                                                        NEWS
  (Ilia)
 - Fixed bug #43020 (Warning message is missing with shuffle() and more
  than one argument). (Scott)
+- Fixed bug #42976 (Crash when constructor for newInstance() or 
+  newInstanceArgs() fails) (Ilia)
 - Fixed bug #42943 (ext/mssql: Move *timeout initialization from RINIT
  to connect time). (Ilia)
 - Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode).
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@ -3405,7 +3405,7 @@ ZEND_METHOD(reflection_class, isInstance)
   Returns an instance of this class */
 ZEND_METHOD(reflection_class, newInstance)
 {
-	zval *retval_ptr;
+	zval *retval_ptr = NULL;
 	reflection_object *intern;
 	zend_class_entry *ce;
 	int argc = ZEND_NUM_ARGS();
@ -3449,7 +3449,9 @@ ZEND_METHOD(reflection_class, newInstance)

 		if (zend_call_function(&fci, &fcc TSRMLS_CC) == FAILURE) {
 			efree(params);
-			zval_ptr_dtor(&retval_ptr);
+			if (retval_ptr) {
+				zval_ptr_dtor(&retval_ptr);
+			}
 			zend_error(E_WARNING, "Invocation of %s's constructor failed", ce->name);
 			RETURN_NULL();
 		}
@ -3469,7 +3471,7 @@ ZEND_METHOD(reflection_class, newInstance)
   Returns an instance of this class */
 ZEND_METHOD(reflection_class, newInstanceArgs)
 {
-	zval *retval_ptr;
+	zval *retval_ptr = NULL;
 	reflection_object *intern;
 	zend_class_entry *ce;
 	int argc = 0;
@ -3524,7 +3526,9 @@ ZEND_METHOD(reflection_class, newInstanceArgs)
 			if (params) {
 				efree(params);
 			}
-			zval_ptr_dtor(&retval_ptr);
+			if (retval_ptr) {
+				zval_ptr_dtor(&retval_ptr);
+			}
 			zend_error(E_WARNING, "Invocation of %s's constructor failed", ce->name);
 			RETURN_NULL();
 		}
--- a/ext/reflection/tests/bug42976.phpt
+++ b/ext/reflection/tests/bug42976.phpt
@ -0,0 +1,34 @@
+--TEST--
+Bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails)
+--FILE--
+<?php
+
+Class C {
+	function __construct(&$x) {
+		$x = "x.changed";
+	}
+}
+
+$x = "x.original";
+new C($x); // OK
+var_dump($x);
+
+$rc = new ReflectionClass('C');
+$x = "x.original";
+$rc->newInstance($x); // causes crash
+var_dump($x);
+$x = "x.original";
+$rc->newInstanceArgs(array($x)); // causes crash	
+var_dump($x);
+
+echo "Done\n";
+?>
+--EXPECTF--	
+string(9) "x.changed"
+
+Warning: Invocation of C's constructor failed in %s/bug42976.php on line %d
+string(10) "x.original"
+
+Warning: Invocation of C's constructor failed in %s/bug42976.php on line %d
+string(10) "x.original"
+Done