Merge branch 'PHP-7.0'

Zend/tests/bug71859.phpt

@@ -0,0 +1,28 @@
+--TEST--
+Bug #71859 (zend_objects_store_call_destructors operates on realloced memory, crashing)
+--FILE--
+<?php
+class constructs_in_destructor {
+  public function __destruct() {
+    //We are now in zend_objects_store_call_destructors
+    //This causes a realloc in zend_objects_store_put
+    for ($i = 0; $i < 10000; ++$i) {
+      $GLOBALS["a$i"] = new stdClass;
+    }
+    //Returns to zend_objects_store_call_destructors, to access freed memory.
+  }
+}
+
+$a = new constructs_in_destructor;
+//Create cycle so destructors are ran only in zend_objects_store_call_destructors
+$a->a = $a;
+
+// Create some objects so zend_objects_store_call_destructors has something
+// to do after constructs_in_destructor is destroyed.
+for ($i = 0; $i < 200; ++$i) {
+  $GLOBALS["b$i"] = new stdClass;
+}
+?>
+okey
+--EXPECT--
+okey

Zend/zend_objects_API.c

@@ -44,12 +44,9 @@ ZEND_API void zend_objects_store_destroy(zend_objects_store *objects)
 ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects)
 {
 	if (objects->top > 1) {
-		zend_object **obj_ptr = objects->object_buckets + 1;
-		zend_object **end = objects->object_buckets + objects->top;
-
-		do {
-			zend_object *obj = *obj_ptr;
-
+		uint32_t i;
+		for (i = 1; i < objects->top; i++) {
+			zend_object *obj = objects->object_buckets[i];
 			if (IS_OBJ_VALID(obj)) {
 				if (!(GC_FLAGS(obj) & IS_OBJ_DESTRUCTOR_CALLED)) {
 					GC_FLAGS(obj) |= IS_OBJ_DESTRUCTOR_CALLED;
@@ -58,8 +55,7 @@ ZEND_API void zend_objects_store_call_destructors(zend_objects_store *objects)
 					GC_REFCOUNT(obj)--;
 				}
 			}
-			obj_ptr++;
-		} while (obj_ptr != end);
+		}
 	}
 }