Fixed bug #69485 (Double free on zend_list_dtor).

Author: laruence

NEWS

@@ -8,6 +8,7 @@
   . Update the MIME type list from the one shipped by Apache HTTPD. (Adam)
 
 - Core:
+  . Fixed bug #69485 (Double free on zend_list_dtor). (Laruence)
   . Fixed bug #69427 (Segfault on magic method __call of private method in 
     superclass). (Laruence)
   . Improved __call() and __callStatic() magic method handling. Now they are

Zend/zend_list.c

@@ -65,17 +65,19 @@ ZEND_API int zend_list_free(zend_resource *res)
 static void zend_resource_dtor(zend_resource *res)
 {
 	zend_rsrc_list_dtors_entry *ld;
+	zend_resource r = *res;
 
-	ld = zend_hash_index_find_ptr(&list_destructors, res->type);
+	res->type = -1;
+	res->ptr = NULL;
+
+	ld = zend_hash_index_find_ptr(&list_destructors, r.type);
 	if (ld) {
 		if (ld->list_dtor_ex) {
-			ld->list_dtor_ex(res);
+			ld->list_dtor_ex(&r);
 		}
 	} else {
-		zend_error(E_WARNING,"Unknown list entry type (%d)", res->type);
+		zend_error(E_WARNING, "Unknown list entry type (%d)", r.type);
 	}
-	res->ptr = NULL;
-	res->type = -1;
 }
 
 
@@ -178,8 +180,8 @@ void list_entry_destructor(zval *zv)
 {
 	zend_resource *res = Z_RES_P(zv);
 
+	ZVAL_UNDEF(zv);
 	if (res->type >= 0) {
-
 		zend_resource_dtor(res);
 	}
 	efree_size(res, sizeof(zend_resource));

ext/curl/interface.c

@@ -283,7 +283,7 @@ void _php_curl_verify_handlers(php_curl *ch, int reporterror) /* {{{ */
 			curl_easy_setopt(ch->cp, CURLOPT_FILE, (void *) ch);
 		}
 	}
-	return ;
+	return;
 }
 /* }}} */
 

ext/curl/tests/bug69485.phpt

@@ -0,0 +1,22 @@
+--TEST--
+Bug #69485 (Double free on zend_list_dtor)
+--SKIPIF--
+<?php include 'skipif.inc'; ?>
+--FILE--
+<?php
+
+class O {
+	public $ch;
+	public function dummy() {
+	}
+}
+
+$ch = curl_init();
+
+$o = new O;
+$o->ch = $ch;
+curl_setopt($ch, CURLOPT_WRITEFUNCTION, array($o, "dummy"));
+?>
+==DONE==
+--EXPECT--
+==DONE==