https://bugzilla.wikimedia.org/show_bug.cgi?id=65796
--- Comment #10 from Tim Starling <[email protected]> --- The reason it works at all is because when you pass the result of _object_and_properties_init() as the EZC function return value, the tvUnbox() at the end of zend_wrap_func() fixes the broken ObjectData refcount, because the RefData is leaked, not freed, so the decref of the RefData in tvUnbox() does not cause the ObjectData refcount to be decremented like it normally would. If you return the result of _object_and_properties_init() to userspace any other way -- say by putting it into an array where it will be protected from tvUnbox() -- then the broken ObjectData refcount is exposed to userspace. In the first snippet of comment 8, the first $ret[0] causes the ObjectData's refcount to go up to 1, so that the ObjectData is freed when the result of the array access is freed. Then the second $ret[0] is a use-after-free. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
