On 08/07/2011 01:31 PM, Stas Malyshev wrote: > Hi! > > On 8/7/11 8:24 AM, Rasmus Lerdorf wrote: >> True, but the problem here is that name may be free'ed at that point. On >> line 3355 we have: >> >> property_info.name = (char*)name; >> >> and then on 3365: >> >> if (ce->type == ZEND_USER_CLASS) { >> efree(property_info.name); >> } else { >> free(property_info.name); >> } >> property_info.name = interned_name; >> >> So property_info.name is set to the interned_name at that point, but the >> original name char* is pointing to free'd storage which is then used in >> that hash update. > > I don't think it can be. Only non-interned string is freed, and > property_info.name = (char*)name is executed only for interned strings.
Yeah, I think Felipe and I came to the same conclusion eventually. But it definitely isn't obvious from the code. We should probably comment that. -Rasmus -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php