From dfd18e6d8246cb1710f79c4191d779ad6efab4bd Mon Sep 17 00:00:00 2001
From: Michael Wallner <mike@php.net>
Date: Mon, 24 Nov 2014 15:14:49 +0100
Subject: [PATCH] fix crash with result iterator when the iterator exists
 longer than the result. Reported by Chris Wright

---
 package.xml     |  2 +-
 src/php_pqres.c | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/package.xml b/package.xml
index c880bd7..f1c8fea 100644
--- a/package.xml
+++ b/package.xml
@@ -42,7 +42,7 @@ http://pear.php.net/dtd/package-2.0.xsd">
  </stability>
  <license>BSD, revised</license>
  <notes><![CDATA[
-*
+* Fixed crash with result iterator when the iterator exists longer than the result
 ]]></notes>
  <contents>
   <dir name="/">
diff --git a/src/php_pqres.c b/src/php_pqres.c
index 9954ad9..44ed163 100644
--- a/src/php_pqres.c
+++ b/src/php_pqres.c
@@ -43,8 +43,8 @@ static zend_object_iterator *php_pqres_iterator_init(zend_class_entry *ce, zval
 
 	iter = ecalloc(1, sizeof(*iter));
 	iter->zi.funcs = &php_pqres_iterator_funcs;
-	iter->zi.data = object;
-	/* do not addref, because the iterator lives inside this object anyway */
+	iter->zi.data = zend_object_store_get_object(object TSRMLS_CC);
+	zend_objects_store_add_ref(object TSRMLS_CC);
 
 	zfetch_type = prop = zend_read_property(ce, object, ZEND_STRL("fetchType"), 0 TSRMLS_CC);
 	if (Z_TYPE_P(zfetch_type) != IS_LONG) {
@@ -67,18 +67,20 @@ static zend_object_iterator *php_pqres_iterator_init(zend_class_entry *ce, zval
 static void php_pqres_iterator_dtor(zend_object_iterator *i TSRMLS_DC)
 {
 	php_pqres_iterator_t *iter = (php_pqres_iterator_t *) i;
+	php_pqres_object_t *obj = i->data;
 
 	if (iter->current_val) {
 		zval_ptr_dtor(&iter->current_val);
 		iter->current_val = NULL;
 	}
+	zend_objects_store_del_ref_by_handle_ex(obj->zv.handle, obj->zv.handlers TSRMLS_CC);
 	efree(iter);
 }
 
 static STATUS php_pqres_iterator_valid(zend_object_iterator *i TSRMLS_DC)
 {
 	php_pqres_iterator_t *iter = (php_pqres_iterator_t *) i;
-	php_pqres_object_t *obj = zend_object_store_get_object(iter->zi.data TSRMLS_CC);
+	php_pqres_object_t *obj = i->data;
 
 	switch (PQresultStatus(obj->intern->res)) {
 	case PGRES_TUPLES_OK:
@@ -305,7 +307,7 @@ zval *php_pqres_row_to_zval(PGresult *res, unsigned row, php_pqres_fetch_t fetch
 static void php_pqres_iterator_current(zend_object_iterator *i, zval ***data_ptr TSRMLS_DC)
 {
 	php_pqres_iterator_t *iter = (php_pqres_iterator_t *) i;
-	php_pqres_object_t *obj = zend_object_store_get_object(iter->zi.data TSRMLS_CC);
+	php_pqres_object_t *obj = i->data;
 
 	if (!iter->current_val) {
 		iter->current_val = php_pqres_row_to_zval(obj->intern->res, iter->index, iter->fetch_type, NULL TSRMLS_CC);
-- 
2.30.2