[Pkg-php-commits] [php/debian-sid] Cherry-pick fix for crash in GC because of incorrect reference counting

[Ondřej Surý]

---
 debian/patches/fix_crash_in_GC.patch |   55 ++++++++++++++++++++++++++++++++++
 debian/patches/series                |    1 +
 2 files changed, 56 insertions(+), 0 deletions(-)
 create mode 100644 debian/patches/fix_crash_in_GC.patch

diff --git a/debian/patches/fix_crash_in_GC.patch b/debian/patches/fix_crash_in_GC.patch
new file mode 100644
index 0000000..539d974
--- /dev/null
+++ b/debian/patches/fix_crash_in_GC.patch
@@ -0,0 +1,55 @@
+--- a/Zend/zend_execute.c
++++ b/Zend/zend_execute.c
+@@ -714,8 +714,8 @@ static inline zval* zend_assign_to_varia
+ 					ALLOC_ZVAL(variable_ptr);
+ 					*variable_ptr_ptr = variable_ptr;
+ 					*variable_ptr = *value;
+-					zval_copy_ctor(variable_ptr);
+ 					Z_SET_REFCOUNT_P(variable_ptr, 1);
++					zval_copy_ctor(variable_ptr);
+ 				} else {
+ 					*variable_ptr_ptr = value;
+ 					Z_ADDREF_P(value);
+--- /dev/null
++++ b/Zend/tests/gc_032.phpt
+@@ -0,0 +1,40 @@
++--TEST--
++GC 032: Crash in GC because of invalid reference counting
++--FILE--
++<?php
++$a = array();
++$b =& $a;
++$a[0] = $a;
++debug_zval_dump($a);
++$a = array(array());
++$b =& $a;
++$a[0][0] = $a;
++debug_zval_dump($a);
++?>
++--EXPECT--
++array(1) refcount(1){
++  [0]=>
++  array(1) refcount(3){
++    [0]=>
++    array(1) refcount(3){
++      [0]=>
++      *RECURSION*
++    }
++  }
++}
++array(1) refcount(1){
++  [0]=>
++  array(1) refcount(3){
++    [0]=>
++    array(1) refcount(1){
++      [0]=>
++      array(1) refcount(3){
++        [0]=>
++        array(1) refcount(1){
++          [0]=>
++          *RECURSION*
++        }
++      }
++    }
++  }
++}
diff --git a/debian/patches/series b/debian/patches/series
index b6da571..751a01e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -66,3 +66,4 @@ bug52827.patch
 bug52843.patch
 CVE-2010-3436.patch
 bug52947.patch
+fix_crash_in_GC.patch
-- 
1.7.1