Fixed bug #73900

2 files changed, 18 insertions, 10 deletions

diff --git a/Zend/tests/bug73900.phpt b/Zend/tests/bug73900.phpt
new file mode 100644
index 0000000000..fbd5b8604a
--- /dev/null
+++ b/Zend/tests/bug73900.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #73900: Use After Free in unserialize() SplFixedArray
+--FILE--
+<?php
+
+$a = new stdClass;
+$b = new SplFixedArray(1);
+$b[0] = $a;
+$c = &$b[0];
+var_dump($c);
+
+?>
+--EXPECT--
+object(stdClass)#1 (0) {
+}
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index a5d09f41e8..a4fb7ae10b 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1758,16 +1758,9 @@ convert_to_array:
 				zend_error(E_NOTICE, "Indirect modification of overloaded element of %s has no effect", ZSTR_VAL(ce->name));
 			} else if (EXPECTED(retval && Z_TYPE_P(retval) != IS_UNDEF)) {
 				if (!Z_ISREF_P(retval)) {
-					if (Z_REFCOUNTED_P(retval) &&
-					    Z_REFCOUNT_P(retval) > 1) {
-						if (Z_TYPE_P(retval) != IS_OBJECT) {
-							Z_DELREF_P(retval);
-							ZVAL_DUP(result, retval);
-							retval = result;
-						} else {
-							ZVAL_COPY_VALUE(result, retval);
-							retval = result;
-						}
+					if (result != retval) {
+						ZVAL_COPY(result, retval);
+						retval = result;
 					}
 					if (Z_TYPE_P(retval) != IS_OBJECT) {
 						zend_class_entry *ce = Z_OBJCE_P(container);