From 6c4351336d5cfd6cc670d2640807b57da9e768d4 Mon Sep 17 00:00:00 2001
From: Michael Wallner <mike@php.net>
Date: Wed, 9 Jul 2014 13:58:22 +0200
Subject: [PATCH] fix refcount issue with message bodies

---
 php_http_message.c  |   4 +-
 tests/client006.mem |  37 -------------
 tests/client014.mem | 129 --------------------------------------------
 3 files changed, 3 insertions(+), 167 deletions(-)
 delete mode 100644 tests/client006.mem
 delete mode 100644 tests/client014.mem

diff --git a/php_http_message.c b/php_http_message.c
index 8c1f40c..9432ae9 100644
--- a/php_http_message.c
+++ b/php_http_message.c
@@ -772,7 +772,9 @@ STATUS php_http_message_object_set_body(php_http_message_object_t *msg_obj, zval
 	}
 
 	body_obj = zend_object_store_get_object(zbody TSRMLS_CC);
-
+	if (!body_obj->body) {
+		body_obj->body = php_http_message_body_init(NULL, NULL TSRMLS_CC);
+	}
 	if (msg_obj->body) {
 		zend_objects_store_del_ref_by_handle(msg_obj->body->zv.handle TSRMLS_CC);
 	}
diff --git a/tests/client006.mem b/tests/client006.mem
deleted file mode 100644
index 2b9f968..0000000
--- a/tests/client006.mem
+++ /dev/null
@@ -1,37 +0,0 @@
-==14228== Invalid read of size 8
-==14228==    at 0x7888C3: handle_response (php_http_client.c:444)
-==14228==    by 0x78ED83: php_http_curlm_responsehandler (php_http_client_curl.c:539)
-==14228==    by 0x7933D9: php_http_client_curl_once (php_http_client_curl.c:1776)
-==14228==    by 0x79351D: php_http_client_curl_exec (php_http_client_curl.c:1807)
-==14228==    by 0x787FE6: php_http_client_exec (php_http_client.c:291)
-==14228==    by 0x78A49E: zim_HttpClient_send (php_http_client.c:799)
-==14228==    by 0x8E44E6: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
-==14228==    by 0x8E4FA1: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:693)
-==14228==    by 0x8E3739: execute_ex (zend_vm_execute.h:363)
-==14228==    by 0x8E3822: zend_execute (zend_vm_execute.h:388)
-==14228==    by 0x898494: zend_execute_scripts (zend.c:1330)
-==14228==    by 0x7DD3B1: php_execute_script (main.c:2549)
-==14228==    by 0x95E642: do_cli (php_cli.c:994)
-==14228==    by 0x95FA1F: main (php_cli.c:1378)
-==14228==  Address 0x8e5a4d8 is 72 bytes inside a block of size 464 free'd
-==14228==    at 0x4C2999C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
-==14228==    by 0x850D33: _efree (zend_alloc.c:2437)
-==14228==    by 0x792943: php_http_client_curl_handler_dtor (php_http_client_curl.c:1553)
-==14228==    by 0x792B5D: queue_dtor (php_http_client_curl.c:1601)
-==14228==    by 0x787A71: queue_dtor (php_http_client.c:156)
-==14228==    by 0x883F3E: zend_llist_del_element (zend_llist.c:97)
-==14228==    by 0x792FCB: php_http_client_curl_dequeue (php_http_client_curl.c:1692)
-==14228==    by 0x787E7B: php_http_client_dequeue (php_http_client.c:245)
-==14228==    by 0x788873: handle_response (php_http_client.c:434)
-==14228==    by 0x78ED83: php_http_curlm_responsehandler (php_http_client_curl.c:539)
-==14228==    by 0x7933D9: php_http_client_curl_once (php_http_client_curl.c:1776)
-==14228==    by 0x79351D: php_http_client_curl_exec (php_http_client_curl.c:1807)
-==14228==    by 0x787FE6: php_http_client_exec (php_http_client.c:291)
-==14228==    by 0x78A49E: zim_HttpClient_send (php_http_client.c:799)
-==14228==    by 0x8E44E6: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
-==14228==    by 0x8E4FA1: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:693)
-==14228==    by 0x8E3739: execute_ex (zend_vm_execute.h:363)
-==14228==    by 0x8E3822: zend_execute (zend_vm_execute.h:388)
-==14228==    by 0x898494: zend_execute_scripts (zend.c:1330)
-==14228==    by 0x7DD3B1: php_execute_script (main.c:2549)
-==14228== 
diff --git a/tests/client014.mem b/tests/client014.mem
deleted file mode 100644
index f2e9a73..0000000
--- a/tests/client014.mem
+++ /dev/null
@@ -1,129 +0,0 @@
-==14271== Invalid read of size 4
-==14271==    at 0x7B5E3E: php_http_message_body_free (php_http_message_body.c:99)
-==14271==    by 0x7B7D5F: php_http_message_body_object_free (php_http_message_body.c:611)
-==14271==    by 0x8DAEFC: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
-==14271==    by 0x7B974D: zend_objects_store_del_ref_by_handle (zend_objects_API.h:73)
-==14271==    by 0x7BD3C2: php_http_message_object_free (php_http_message.c:863)
-==14271==    by 0x8DAEFC: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
-==14271==    by 0x7894D1: msg_queue_dtor (php_http_client.c:593)
-==14271==    by 0x792B51: queue_dtor (php_http_client_curl.c:1599)
-==14271==    by 0x787A71: queue_dtor (php_http_client.c:156)
-==14271==    by 0x883F3E: zend_llist_del_element (zend_llist.c:97)
-==14271==    by 0x792FCB: php_http_client_curl_dequeue (php_http_client_curl.c:1692)
-==14271==    by 0x793047: php_http_client_curl_reset (php_http_client_curl.c:1707)
-==14271==    by 0x788021: php_http_client_reset (php_http_client.c:300)
-==14271==    by 0x787C71: php_http_client_dtor (php_http_client.c:202)
-==14271==    by 0x787CD0: php_http_client_free (php_http_client.c:213)
-==14271==    by 0x788102: php_http_client_object_free (php_http_client.c:331)
-==14271==    by 0x8DAEFC: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
-==14271==    by 0x8DAA78: zend_objects_store_del_ref (zend_objects_API.c:178)
-==14271==    by 0x892D9D: _zval_dtor_func (zend_variables.c:57)
-==14271==    by 0x87C332: _zval_dtor (zend_variables.h:35)
-==14271==  Address 0x8e5c750 is 160 bytes inside a block of size 176 free'd
-==14271==    at 0x4C2999C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
-==14271==    by 0x850D33: _efree (zend_alloc.c:2437)
-==14271==    by 0x7B5F03: php_http_message_body_free (php_http_message_body.c:104)
-==14271==    by 0x7BBBE1: php_http_message_dtor (php_http_message.c:476)
-==14271==    by 0x7BD337: php_http_message_object_free (php_http_message.c:854)
-==14271==    by 0x8DAEFC: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
-==14271==    by 0x7894D1: msg_queue_dtor (php_http_client.c:593)
-==14271==    by 0x792B51: queue_dtor (php_http_client_curl.c:1599)
-==14271==    by 0x787A71: queue_dtor (php_http_client.c:156)
-==14271==    by 0x883F3E: zend_llist_del_element (zend_llist.c:97)
-==14271==    by 0x792FCB: php_http_client_curl_dequeue (php_http_client_curl.c:1692)
-==14271==    by 0x793047: php_http_client_curl_reset (php_http_client_curl.c:1707)
-==14271==    by 0x788021: php_http_client_reset (php_http_client.c:300)
-==14271==    by 0x787C71: php_http_client_dtor (php_http_client.c:202)
-==14271==    by 0x787CD0: php_http_client_free (php_http_client.c:213)
-==14271==    by 0x788102: php_http_client_object_free (php_http_client.c:331)
-==14271==    by 0x8DAEFC: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
-==14271==    by 0x8DAA78: zend_objects_store_del_ref (zend_objects_API.c:178)
-==14271==    by 0x892D9D: _zval_dtor_func (zend_variables.c:57)
-==14271==    by 0x87C332: _zval_dtor (zend_variables.h:35)
-==14271== 
-==14271== Invalid write of size 4
-==14271==    at 0x7B5E4B: php_http_message_body_free (php_http_message_body.c:99)
-==14271==    by 0x7B7D5F: php_http_message_body_object_free (php_http_message_body.c:611)
-==14271==    by 0x8DAEFC: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
-==14271==    by 0x7B974D: zend_objects_store_del_ref_by_handle (zend_objects_API.h:73)
-==14271==    by 0x7BD3C2: php_http_message_object_free (php_http_message.c:863)
-==14271==    by 0x8DAEFC: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
-==14271==    by 0x7894D1: msg_queue_dtor (php_http_client.c:593)
-==14271==    by 0x792B51: queue_dtor (php_http_client_curl.c:1599)
-==14271==    by 0x787A71: queue_dtor (php_http_client.c:156)
-==14271==    by 0x883F3E: zend_llist_del_element (zend_llist.c:97)
-==14271==    by 0x792FCB: php_http_client_curl_dequeue (php_http_client_curl.c:1692)
-==14271==    by 0x793047: php_http_client_curl_reset (php_http_client_curl.c:1707)
-==14271==    by 0x788021: php_http_client_reset (php_http_client.c:300)
-==14271==    by 0x787C71: php_http_client_dtor (php_http_client.c:202)
-==14271==    by 0x787CD0: php_http_client_free (php_http_client.c:213)
-==14271==    by 0x788102: php_http_client_object_free (php_http_client.c:331)
-==14271==    by 0x8DAEFC: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
-==14271==    by 0x8DAA78: zend_objects_store_del_ref (zend_objects_API.c:178)
-==14271==    by 0x892D9D: _zval_dtor_func (zend_variables.c:57)
-==14271==    by 0x87C332: _zval_dtor (zend_variables.h:35)
-==14271==  Address 0x8e5c750 is 160 bytes inside a block of size 176 free'd
-==14271==    at 0x4C2999C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
-==14271==    by 0x850D33: _efree (zend_alloc.c:2437)
-==14271==    by 0x7B5F03: php_http_message_body_free (php_http_message_body.c:104)
-==14271==    by 0x7BBBE1: php_http_message_dtor (php_http_message.c:476)
-==14271==    by 0x7BD337: php_http_message_object_free (php_http_message.c:854)
-==14271==    by 0x8DAEFC: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
-==14271==    by 0x7894D1: msg_queue_dtor (php_http_client.c:593)
-==14271==    by 0x792B51: queue_dtor (php_http_client_curl.c:1599)
-==14271==    by 0x787A71: queue_dtor (php_http_client.c:156)
-==14271==    by 0x883F3E: zend_llist_del_element (zend_llist.c:97)
-==14271==    by 0x792FCB: php_http_client_curl_dequeue (php_http_client_curl.c:1692)
-==14271==    by 0x793047: php_http_client_curl_reset (php_http_client_curl.c:1707)
-==14271==    by 0x788021: php_http_client_reset (php_http_client.c:300)
-==14271==    by 0x787C71: php_http_client_dtor (php_http_client.c:202)
-==14271==    by 0x787CD0: php_http_client_free (php_http_client.c:213)
-==14271==    by 0x788102: php_http_client_object_free (php_http_client.c:331)
-==14271==    by 0x8DAEFC: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
-==14271==    by 0x8DAA78: zend_objects_store_del_ref (zend_objects_API.c:178)
-==14271==    by 0x892D9D: _zval_dtor_func (zend_variables.c:57)
-==14271==    by 0x87C332: _zval_dtor (zend_variables.h:35)
-==14271== 
-==14271== Invalid read of size 4
-==14271==    at 0x7B5E55: php_http_message_body_free (php_http_message_body.c:99)
-==14271==    by 0x7B7D5F: php_http_message_body_object_free (php_http_message_body.c:611)
-==14271==    by 0x8DAEFC: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
-==14271==    by 0x7B974D: zend_objects_store_del_ref_by_handle (zend_objects_API.h:73)
-==14271==    by 0x7BD3C2: php_http_message_object_free (php_http_message.c:863)
-==14271==    by 0x8DAEFC: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
-==14271==    by 0x7894D1: msg_queue_dtor (php_http_client.c:593)
-==14271==    by 0x792B51: queue_dtor (php_http_client_curl.c:1599)
-==14271==    by 0x787A71: queue_dtor (php_http_client.c:156)
-==14271==    by 0x883F3E: zend_llist_del_element (zend_llist.c:97)
-==14271==    by 0x792FCB: php_http_client_curl_dequeue (php_http_client_curl.c:1692)
-==14271==    by 0x793047: php_http_client_curl_reset (php_http_client_curl.c:1707)
-==14271==    by 0x788021: php_http_client_reset (php_http_client.c:300)
-==14271==    by 0x787C71: php_http_client_dtor (php_http_client.c:202)
-==14271==    by 0x787CD0: php_http_client_free (php_http_client.c:213)
-==14271==    by 0x788102: php_http_client_object_free (php_http_client.c:331)
-==14271==    by 0x8DAEFC: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
-==14271==    by 0x8DAA78: zend_objects_store_del_ref (zend_objects_API.c:178)
-==14271==    by 0x892D9D: _zval_dtor_func (zend_variables.c:57)
-==14271==    by 0x87C332: _zval_dtor (zend_variables.h:35)
-==14271==  Address 0x8e5c750 is 160 bytes inside a block of size 176 free'd
-==14271==    at 0x4C2999C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
-==14271==    by 0x850D33: _efree (zend_alloc.c:2437)
-==14271==    by 0x7B5F03: php_http_message_body_free (php_http_message_body.c:104)
-==14271==    by 0x7BBBE1: php_http_message_dtor (php_http_message.c:476)
-==14271==    by 0x7BD337: php_http_message_object_free (php_http_message.c:854)
-==14271==    by 0x8DAEFC: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
-==14271==    by 0x7894D1: msg_queue_dtor (php_http_client.c:593)
-==14271==    by 0x792B51: queue_dtor (php_http_client_curl.c:1599)
-==14271==    by 0x787A71: queue_dtor (php_http_client.c:156)
-==14271==    by 0x883F3E: zend_llist_del_element (zend_llist.c:97)
-==14271==    by 0x792FCB: php_http_client_curl_dequeue (php_http_client_curl.c:1692)
-==14271==    by 0x793047: php_http_client_curl_reset (php_http_client_curl.c:1707)
-==14271==    by 0x788021: php_http_client_reset (php_http_client.c:300)
-==14271==    by 0x787C71: php_http_client_dtor (php_http_client.c:202)
-==14271==    by 0x787CD0: php_http_client_free (php_http_client.c:213)
-==14271==    by 0x788102: php_http_client_object_free (php_http_client.c:331)
-==14271==    by 0x8DAEFC: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226)
-==14271==    by 0x8DAA78: zend_objects_store_del_ref (zend_objects_API.c:178)
-==14271==    by 0x892D9D: _zval_dtor_func (zend_variables.c:57)
-==14271==    by 0x87C332: _zval_dtor (zend_variables.h:35)
-==14271== 
-- 
2.30.2