2 files changed, 20 insertions, 2 deletions

diff --git a/Zend/tests/bug75420.phpt b/Zend/tests/bug75420.phpt
new file mode 100644
index 0000000000..890fbe5ad5
--- /dev/null
+++ b/Zend/tests/bug75420.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #75420 (Crash when modifing property name in __isset for BP_VAR_IS)
+--FILE--
+<?php
+
+class Test {
+	public function __isset($x) { $GLOBALS["name"] = 24; return true; }
+public function __get($x) { var_dump($x); return 42; }
+}
+
+$obj = new Test;
+$name = "foo";
+var_dump($obj->$name ?? 12);
+?>
+--EXPECT--
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index c75a59e036..ed972c718c 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -577,6 +577,7 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_
 	zval tmp_member;
 	zval *retval;
 	uint32_t property_offset;
+	uint32_t *guard = NULL;
 
 	zobj = Z_OBJ_P(object);
 
@@ -612,7 +613,7 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_
 	/* magic isset */
 	if ((type == BP_VAR_IS) && zobj->ce->__isset) {
 		zval tmp_object, tmp_result;
-		uint32_t *guard = zend_get_property_guard(zobj, Z_STR_P(member));
+		guard = zend_get_property_guard(zobj, Z_STR_P(member));
 
 		if (!((*guard) & IN_ISSET)) {
 			ZVAL_COPY(&tmp_object, object);
@@ -636,7 +637,9 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_
 
 	/* magic get */
 	if (zobj->ce->__get) {
-		uint32_t *guard = zend_get_property_guard(zobj, Z_STR_P(member));
+		if (guard == NULL) {
+			guard = zend_get_property_guard(zobj, Z_STR_P(member));
+		}
 		if (!((*guard) & IN_GET)) {
 			zval tmp_object;