Fixed attempt to free invalid structure (result of ROPE_INIT is not a zval)

3 files changed, 19 insertions, 0 deletions

diff --git a/Zend/tests/temporary_cleaning_015.phpt b/Zend/tests/temporary_cleaning_015.phpt
new file mode 100644
index 0000000000..7690abba76
--- /dev/null
+++ b/Zend/tests/temporary_cleaning_015.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Attempt to free invalid structure (result of ROPE_INIT is not a zval)
+--FILE--
+<?php
+set_error_handler(function () {
+	throw new Exception();
+});
+$a = [];
+$b = "";
+try {
+	 echo "$a$b\n";
+} catch (Exception $ex) {
+}
+?>
+DONE
+--EXPECT--
+DONE
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index f8538e02c4..1c3668088e 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -7080,6 +7080,7 @@ ZEND_VM_HANDLER(149, ZEND_HANDLE_EXCEPTION, ANY, ANY)
 	if (throw_op->result_type & (IS_VAR | IS_TMP_VAR)) {
 		switch (throw_op->opcode) {
 			case ZEND_ADD_ARRAY_ELEMENT:
+			case ZEND_ROPE_INIT:
 			case ZEND_ROPE_ADD:
 				break; /* exception while building structures, live range handling will free those */
 
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 4ca3fa4819..6b83684b7f 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -1776,6 +1776,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_HANDLE_EXCEPTION_SPEC_HANDLER(
 	if (throw_op->result_type & (IS_VAR | IS_TMP_VAR)) {
 		switch (throw_op->opcode) {
 			case ZEND_ADD_ARRAY_ELEMENT:
+			case ZEND_ROPE_INIT:
 			case ZEND_ROPE_ADD:
 				break; /* exception while building structures, live range handling will free those */