Fix a class inheritence leak, when using static varibles in a parent class member function

Author: zsuraski

Zend/zend_compile.c

@@ -998,7 +998,17 @@ void do_return(znode *expr, int do_end_vparse CLS_DC)
 static void function_add_ref(zend_function *function)
 {
 	if (function->type == ZEND_USER_FUNCTION) {
-		(*((zend_op_array *) function)->refcount)++;
+		zend_op_array *op_array = &function->op_array;
+
+		(*op_array->refcount)++;
+		if (op_array->static_variables) {
+			HashTable *static_variables = op_array->static_variables;
+			zval *tmp_zval;
+
+			op_array->static_variables = (HashTable *) emalloc(sizeof(HashTable));
+			zend_hash_init(op_array->static_variables, 2, NULL, ZVAL_PTR_DTOR, 0);
+			zend_hash_copy(op_array->static_variables, static_variables, (void (*)(void *)) zval_add_ref, (void *) &tmp_zval, sizeof(zval *));
+		}
 	}
 }
 

Zend/zend_opcode.c

@@ -153,6 +153,11 @@ ZEND_API void destroy_op_array(zend_op_array *op_array)
 	zend_op *opline = op_array->opcodes;
 	zend_op *end = op_array->opcodes+op_array->last;
 
+	if (op_array->static_variables) {
+		zend_hash_destroy(op_array->static_variables);
+		efree(op_array->static_variables);
+	}
+
 	if (--(*op_array->refcount)>0) {
 		return;
 	}
@@ -184,10 +189,6 @@ ZEND_API void destroy_op_array(zend_op_array *op_array)
 	if (op_array->brk_cont_array) {
 		efree(op_array->brk_cont_array);
 	}
-	if (op_array->static_variables) {
-		zend_hash_destroy(op_array->static_variables);
-		efree(op_array->static_variables);
-	}
 	zend_llist_apply_with_argument(&zend_extensions, (void (*)(void *, void *)) zend_extension_op_array_dtor_handler, op_array);
 }