The patch doesn't look quite right. - convert_to_string_ex(val); + zval tmpz; + zval *tmpzp; + tmpz = *(*val); + zval_copy_ctor(&tmpz); + tmpz.refcount=1; + tmpzp = &tmpz;
I think that this is a place where convert_to_string(val) should be used instead. - in = BIO_new_mem_buf(Z_STRVAL_PP(val), Z_STRLEN_PP(val)); + in = BIO_new_mem_buf(Z_STRVAL_PP(&tmpzp), Z_STRLEN_PP(&tmpzp)); If you still need to use zval* instead of zval**, you can use Z_STRVAL_P(tmpzp) instead of taking the address and using Z_STRVAL_PP(). Can you check your patch again using convert_to_string() instead? --Wez. On 5/25/05, Kamesh Jayachandran <[EMAIL PROTECTED]> wrote: > Hi Wez & Jani, > Following snippet causes double free of memory, corrupts the symbol > table. > <?php > $pk=false;//As openssl_get_publickey($nonsense) can give false > openssl_public_encrypt("Test",$encrypted,$pk); > $pk=false; > ?> > > The culprit is php_openssl_evp_from_zval which is called by > openssl_public_encrypt. > openssl_public_encrypt reduces the refcount of $pk from 2 to 1. > zend_ptr_stack_clear_multiple reduces it again to 0 as a normal cleanup > upon return from openssl_public_encrypt. > And hence zval associated with $pk is getting freed. > But symbol table still refers to freed pointer. > > The patch for 5.0 Tree is available at, > http://puggy.symonds.net/~kameshj/openssl.c.patch.5.0 > > With regards > Kamesh Jayachandran > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php