Fixed bug #70330 (Segmentation Fault with multiple "curl_copy_handle")

dereckson · Aug 23, 2015 · 4df6f26 · 4df6f26
1 parent 55f8814
commit 4df6f26
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 5 deletions.
diff --git a/NEWS b/NEWS
@@ -10,6 +10,10 @@ PHP                                                                        NEWS
   . Fixed bug #70145 (From field incorrectly parsed from headers). (Anatol)
   . Fixed bug causing exception traces with anon classes to be truncated. (Bob)
 
+- Curl:
+  . Fixed bug #70330 (Segmentation Fault with multiple "curl_copy_handle").
+    (Laruence)
+
 - PDO_OCI:
   . Fixed bug #70308 (PDO::ATTR_PREFETCH is ignored). (Chris Jones)
 

diff --git a/ext/curl/interface.c b/ext/curl/interface.c
@@ -1739,7 +1739,8 @@ static php_curl *alloc_curl_handle()
 #if LIBCURL_VERSION_NUM >= 0x071500 /* Available since 7.21.0 */
 	ch->handlers->fnmatch      = NULL;
 #endif
-	ch->clone 				   = 1;
+	ch->clone 				   = emalloc(sizeof(uint32_t));
+	*ch->clone                 = 1;
 
 	memset(&ch->err, 0, sizeof(struct _php_curl_error));
 
@@ -1994,9 +1995,11 @@ PHP_FUNCTION(curl_copy_handle)
 	efree(dupch->to_free->slist);
 	efree(dupch->to_free);
 	dupch->to_free = ch->to_free;
+	efree(dupch->clone);
+	dupch->clone = ch->clone;
 
 	/* Keep track of cloned copies to avoid invoking curl destructors for every clone */
-	ch->clone++;
+	(*ch->clone)++;
 
 	ZVAL_RES(return_value, zend_register_resource(dupch, le_curl));
 	dupch->res = Z_RES_P(return_value);
@@ -2580,7 +2583,7 @@ static int _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue) /* {{{
 					return FAILURE;
 				}
 
-				if (ch->clone == 0) {
+				if ((*ch->clone) == 1) {
 					zend_llist_clean(&ch->to_free->post);
 				}
 				zend_llist_add_element(&ch->to_free->post, &first);
@@ -3190,12 +3193,13 @@ static void _php_curl_close_ex(php_curl *ch)
 	curl_easy_cleanup(ch->cp);
 
 	/* cURL destructors should be invoked only by last curl handle */
-	if (--ch->clone == 0) {
+	if (--(*ch->clone) == 0) {
 		zend_llist_clean(&ch->to_free->str);
 		zend_llist_clean(&ch->to_free->post);
 		zend_hash_destroy(ch->to_free->slist);
 		efree(ch->to_free->slist);
 		efree(ch->to_free);
+		efree(ch->clone);
 	}
 
 	smart_str_free(&ch->handlers->write->buf);

diff --git a/ext/curl/php_curl.h b/ext/curl/php_curl.h
@@ -181,7 +181,7 @@ typedef struct {
 	struct _php_curl_send_headers header;
 	struct _php_curl_error        err;
 	zend_bool                     in_callback;
-	uint32_t                      clone;
+	uint32_t*                     clone;
 } php_curl;
 
 #define CURLOPT_SAFE_UPLOAD -1

diff --git a/ext/curl/tests/bug70330.phpt b/ext/curl/tests/bug70330.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #70330 (Segmentation Fault with multiple "curl_copy_handle")
+--SKIPIF--
+<?php include 'skipif.inc'; ?>
+--FILE--
+<?php
+$t2 = curl_init();
+$t3 = curl_copy_handle($t2);
+$t3 = curl_copy_handle($t2);
+$t4 = curl_init();
+$t3 = curl_copy_handle($t4);
+$t5 = curl_init();
+$t6 = curl_copy_handle($t5);
+?>
+okey
+--EXPECT--
+okey