Merge branch 'PHP-7.3' into PHP-7.4

dstogov · dstogov · commit 720438c8eeb1 · 2019-08-08T10:07:39.000+03:00
* PHP-7.3:
  Fixed bug #78379 (Cast to object confuses GC, causes crash)
diff --git a/NEWS b/NEWS
@@ -11,6 +11,7 @@ PHP                                                                        NEWS
   . Fixed bug #78344 (Segmentation fault on zend_check_protected). (Nikita)
   . Fixed bug #78356 (Array returned from ArrayAccess is incorrectly unpacked
     as argument). (Nikita)
+  . Fixed bug #78379 (Cast to object confuses GC, causes crash). (Dmitry)
 
 - Exif:
   . Fixed bug #78333 (Exif crash (bus error) due to wrong alignment and
diff --git a/Zend/tests/bug78379.phpt b/Zend/tests/bug78379.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #78379 (Cast to object confuses GC, causes crash)
+--INI--
+opcache.enable=0
+--FILE--
+<?php
+class C {
+	public function __construct() {
+		$this->p = (object)["x" => [1]];
+	}
+}
+class E {
+}
+$e = new E;
+$e->f = new E;
+$e->f->e = $e;
+$e->a = new C;
+$e = null;
+gc_collect_cycles();
+var_dump(new C);
+?>
+--EXPECTF--
+object(C)#%d (1) {
+  ["p"]=>
+  object(stdClass)#%d (1) {
+    ["x"]=>
+    array(1) {
+      [0]=>
+      int(1)
+    }
+  }
+}
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -127,6 +127,11 @@ ZEND_API HashTable *zend_std_get_gc(zval *object, zval **table, int *n) /* {{{ *
 		if (zobj->properties) {
 			*table = NULL;
 			*n = 0;
+			if (UNEXPECTED(GC_REFCOUNT(zobj->properties) > 1)
+			 && EXPECTED(!(GC_FLAGS(zobj->properties) & IS_ARRAY_IMMUTABLE))) {
+				GC_DELREF(zobj->properties);
+				zobj->properties = zend_array_dup(zobj->properties);
+			}
 			return zobj->properties;
 		} else {
 			*table = zobj->properties_table;
