Fixed bug #36071 (Engine Crash related with 'clone')

3 files changed, 24 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 9219bdbbce..39f1ba0a96 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,7 @@ PHP                                                                        NEWS
   MYSQLI_TYPE_NEWDECIMAL and MYSQLI_TYPE_BIT. FR #36007. (Georg)
 - Fixed imagecolorallocate() and imagecolorallocatelapha() to return FALSE
   on error. (Pierre)
+- Fixed bug #36071 (Engine Crash related with 'clone'). (Dmitry)
 - Fixed bug #36055 (possible OCI8 crash in multithreaded environment). (Tony)
 - Fixed bug #36046 (parse_ini_file() miscounts lines in multi-line values).
   (Ilia)
diff --git a/Zend/tests/bug36071.phpt b/Zend/tests/bug36071.phpt
new file mode 100755
index 0000000000..3b8e05dfab
--- /dev/null
+++ b/Zend/tests/bug36071.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #36071 (Engine Crash related with 'clone')
+--INI--
+error_reporting=4095
+--FILE--
+<?php
+$a = clone 0;
+$a[0]->b = 0;
+echo "ok\n";
+?>
+--EXPECTF--
+Warning: __clone method called on non-object in %sbug36071.php on line 2
+ok
\ No newline at end of file
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 5ccdf67b70..046a9b1b0d 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -545,6 +545,16 @@ static inline void zend_assign_to_object(znode *result, zval **object_ptr, znode
 	zval *value = get_zval_ptr(value_op, Ts, &free_value, BP_VAR_R);
 	zval **retval = &T(result->u.var).var.ptr;
 
+	if (*object_ptr == EG(error_zval_ptr)) {
+		FREE_OP(free_op2);
+		if (!RETURN_VALUE_UNUSED(result)) {
+			*retval = EG(uninitialized_zval_ptr);
+			PZVAL_LOCK(*retval);
+		}
+		FREE_OP(free_value);
+		return;
+	}
+
 	make_real_object(object_ptr TSRMLS_CC); /* this should modify object only if it's empty */
 	object = *object_ptr;