Fix use after free

Author: danog

src/args.rs

@@ -98,7 +98,9 @@ impl<'a> Arg<'a> {
     where
         T: FromZvalMut<'a>,
     {
-        self.zval.as_mut().and_then(|zv| T::from_zval_mut(zv.dereference_mut()))
+        self.zval
+            .as_mut()
+            .and_then(|zv| T::from_zval_mut(zv.dereference_mut()))
     }
 
     /// Attempts to return a reference to the arguments internal Zval.

src/types/zval.rs

@@ -53,14 +53,12 @@ impl Zval {
 
     /// Dereference the zval, if it is a reference.
     pub fn dereference(&self) -> &Self {
-        return self
-            .reference()
-            .or_else(|| self.indirect())
-            .unwrap_or(self)
+        return self.reference().or_else(|| self.indirect()).unwrap_or(self);
     }
 
     /// Dereference the zval mutable, if it is a reference.
     pub fn dereference_mut(&mut self) -> &mut Self {
+        // TODO: probably more ZTS work is needed here
         if self.is_reference() {
             #[allow(clippy::unwrap_used)]
             return self.reference_mut().unwrap();

src/zend/_type.rs

@@ -1,14 +1,12 @@
-use std::{
-    ffi::c_void,
-    ptr,
-};
+use std::{ffi::c_void, ptr};
 
 use crate::{
     ffi::{
         zend_type, IS_MIXED, MAY_BE_ANY, MAY_BE_BOOL, _IS_BOOL, _ZEND_IS_VARIADIC_BIT,
         _ZEND_SEND_MODE_SHIFT, _ZEND_TYPE_NAME_BIT, _ZEND_TYPE_NULLABLE_BIT,
     },
-    flags::DataType, types::ZendStr,
+    flags::DataType,
+    types::ZendStr,
 };
 
 /// Internal Zend type.
@@ -82,7 +80,7 @@ impl ZendType {
         allow_null: bool,
     ) -> Option<Self> {
         Some(Self {
-            ptr: ZendStr::new(class_name, true).as_ptr() as *mut c_void,
+            ptr: ZendStr::new(class_name, true).into_raw().as_ptr() as *mut c_void,
             type_mask: _ZEND_TYPE_NAME_BIT
                 | (if allow_null {
                     _ZEND_TYPE_NULLABLE_BIT

src/zend/try_catch.rs

@@ -35,12 +35,13 @@ pub fn try_catch<R, F: FnMut() -> R + RefUnwindSafe>(func: F) -> Result<R, Catch
 
 /// PHP propose a try catch mechanism in C using setjmp and longjmp (bailout)
 /// It store the arg of setjmp into the bailout field of the global executor
-/// If a bailout is triggered, the executor will jump to the setjmp and restore the previous setjmp
+/// If a bailout is triggered, the executor will jump to the setjmp and restore
+/// the previous setjmp
 ///
 /// try_catch_first allow to use this mechanism
 ///
-/// This functions differs from ['try_catch'] as it also initialize the bailout mechanism
-/// for the first time
+/// This functions differs from ['try_catch'] as it also initialize the bailout
+/// mechanism for the first time
 ///
 /// # Returns
 ///

tests/src/integration/closure.php

@@ -5,7 +5,7 @@
 $v = test_closure();
 
 // Closure
-assert($closure('works') === 'works');
+assert($v('works') === 'works');
 
 // Closure once
 $closure = test_closure_once('test');