From 8482a6f51184c1c099a74c8252ca2b609f3b5ea7 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Tue, 31 Oct 2017 01:20:38 +0300
Subject: Fixed use-after free introduced in
 fcc08ce19f39f7ab1381ecc8a010037d41819329

---
 Zend/zend_inheritance.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'Zend/zend_inheritance.c')

diff --git a/Zend/zend_inheritance.c b/Zend/zend_inheritance.c
index c200573ac8..98a3ae6459 100644
--- a/Zend/zend_inheritance.c
+++ b/Zend/zend_inheritance.c
@@ -775,6 +775,11 @@ static void do_inherit_class_constant(zend_string *name, zend_class_constant *pa
 		if (Z_TYPE(parent_const->value) == IS_CONSTANT_AST) {
 			ce->ce_flags &= ~ZEND_ACC_CONSTANTS_UPDATED;
 		}
+		if (ce->type & ZEND_INTERNAL_CLASS) {
+			c = pemalloc(sizeof(zend_class_constant), 1);
+			memcpy(c, parent_const, sizeof(zend_class_constant));
+			parent_const = c;
+		}
 		_zend_hash_append_ptr(&ce->constants_table, name, parent_const);
 	}
 }
@@ -1003,6 +1008,11 @@ static void do_inherit_iface_constant(zend_string *name, zend_class_constant *c,
 		if (Z_TYPE(c->value) == IS_CONSTANT_AST) {
 			ce->ce_flags &= ~ZEND_ACC_CONSTANTS_UPDATED;
 		}
+		if (ce->type & ZEND_INTERNAL_CLASS) {
+			ct = pemalloc(sizeof(zend_class_constant), 1);
+			memcpy(ct, c, sizeof(zend_class_constant));
+			c = ct;
+		}
 		zend_hash_update_ptr(&ce->constants_table, name, c);
 	}
 }
-- 
cgit v1.2.1