php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

Patch bug_74310_decrement_after_alloc for Reproducible crash Bug #74310

Patch version 2017-03-26 17:08 UTC

Return to Bug #74310 | Download this patch
Patch Revisions:

Developer: bwoebi@php.net

diff --git a/Zend/zend_string.h b/Zend/zend_string.h
index 77dd083..fd28611 100644
--- a/Zend/zend_string.h
+++ b/Zend/zend_string.h
@@ -208,11 +208,12 @@ static zend_always_inline zend_string *zend_string_realloc(zend_string *s, size_
 			ZSTR_LEN(ret) = len;
 			zend_string_forget_hash_val(ret);
 			return ret;
-		} else {
-			GC_REFCOUNT(s)--;
 		}
+		ret = zend_string_alloc(len, persistent);
+		GC_REFCOUNT(s)--;
+	} else {
+		ret = zend_string_alloc(len, persistent);
 	}
-	ret = zend_string_alloc(len, persistent);
 	memcpy(ZSTR_VAL(ret), ZSTR_VAL(s), MIN(len, ZSTR_LEN(s)) + 1);
 	return ret;
 }
@@ -228,11 +229,12 @@ static zend_always_inline zend_string *zend_string_extend(zend_string *s, size_t
 			ZSTR_LEN(ret) = len;
 			zend_string_forget_hash_val(ret);
 			return ret;
-		} else {
-			GC_REFCOUNT(s)--;
 		}
+		ret = zend_string_alloc(len, persistent);
+		GC_REFCOUNT(s)--;
+	} else {
+		ret = zend_string_alloc(len, persistent);
 	}
-	ret = zend_string_alloc(len, persistent);
 	memcpy(ZSTR_VAL(ret), ZSTR_VAL(s), ZSTR_LEN(s) + 1);
 	return ret;
 }
@@ -248,11 +250,12 @@ static zend_always_inline zend_string *zend_string_truncate(zend_string *s, size
 			ZSTR_LEN(ret) = len;
 			zend_string_forget_hash_val(ret);
 			return ret;
-		} else {
-			GC_REFCOUNT(s)--;
 		}
+		ret = zend_string_alloc(len, persistent);
+		GC_REFCOUNT(s)--;
+	} else {
+		ret = zend_string_alloc(len, persistent);
 	}
-	ret = zend_string_alloc(len, persistent);
 	memcpy(ZSTR_VAL(ret), ZSTR_VAL(s), len + 1);
 	return ret;
 }
@@ -270,8 +273,11 @@ static zend_always_inline zend_string *zend_string_safe_realloc(zend_string *s,
 		} else {
 			GC_REFCOUNT(s)--;
 		}
+		ret = zend_string_safe_alloc(n, m, l, persistent);
+		GC_REFCOUNT(s)--;
+	} else {
+		ret = zend_string_safe_alloc(n, m, l, persistent);
 	}
-	ret = zend_string_safe_alloc(n, m, l, persistent);
 	memcpy(ZSTR_VAL(ret), ZSTR_VAL(s), MIN((n * m) + l, ZSTR_LEN(s)) + 1);
 	return ret;
 }
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Aug 01 05:01:24 2021 UTC