Fix double free if post inc of typed property throws

We either need to add an extra ref because the copy is used as the retval, which is freed by HANDLE_EXCEPTION, or we need to undef it (done here).
author: Nikita Popov <nikita.ppv@gmail.com> 2019-02-08 12:43:11 +0100
committer: Nikita Popov <nikita.ppv@gmail.com> 2019-02-08 12:43:11 +0100
commit: 0d4471fd28eea7974b5af7832958e62e546927f6 (patch)
tree: 70b88064a8bdb52d5572ebcb4e71e3443d791e3d
parent: a9d4caeecea947e7ee5425661204045c0bbba66f (diff)
download: php-git-0d4471fd28eea7974b5af7832958e62e546927f6.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 92ddef051e..840c18b150 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1680,6 +1680,7 @@ static void zend_incdec_typed_ref(zend_reference *ref, zval *copy, int inc EXECU
 	} else if (UNEXPECTED(!zend_verify_ref_assignable_zval(ref, var_ptr, EX_USES_STRICT_TYPES()))) {
 		zval_ptr_dtor(var_ptr);
 		ZVAL_COPY_VALUE(var_ptr, copy);
+		ZVAL_UNDEF(copy);
 	} else if (copy == &tmp) {
 		zval_ptr_dtor(&tmp);
 	}
@@ -1707,6 +1708,7 @@ static void zend_incdec_typed_prop(zend_property_info *prop_info, zval *var_ptr,
 	} else if (UNEXPECTED(!zend_verify_property_type(prop_info, var_ptr, EX_USES_STRICT_TYPES()))) {
 		zval_ptr_dtor(var_ptr);
 		ZVAL_COPY_VALUE(var_ptr, copy);
+		ZVAL_UNDEF(copy);
 	} else if (copy == &tmp) {
 		zval_ptr_dtor(&tmp);
 	}
author	Nikita Popov <nikita.ppv@gmail.com>	2019-02-08 12:43:11 +0100
committer	Nikita Popov <nikita.ppv@gmail.com>	2019-02-08 12:43:11 +0100
commit	0d4471fd28eea7974b5af7832958e62e546927f6 (patch)
tree	70b88064a8bdb52d5572ebcb4e71e3443d791e3d
parent	a9d4caeecea947e7ee5425661204045c0bbba66f (diff)
download	php-git-0d4471fd28eea7974b5af7832958e62e546927f6.tar.gz