From 6d4965febdb1745444e7a3408fa7c01bcfc52b68 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 6 Nov 2019 12:51:25 +0100
Subject: Fixed bug #78787

Not the first time inheritance of shadow properties causes an issue,
thankfully this whole concept is gone in PHP 7.4.
---
 NEWS                     |  4 ++++
 Zend/tests/bug78787.phpt | 22 ++++++++++++++++++++++
 Zend/zend_inheritance.c  | 12 ++++++++----
 3 files changed, 34 insertions(+), 4 deletions(-)
 create mode 100644 Zend/tests/bug78787.phpt

diff --git a/NEWS b/NEWS
index f74a71fdcc..2e67e59683 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.3.13
 
+- Core:
+  . Fixed bug #78787 (Segfault with trait overriding inherited private shadow
+    property). (Nikita)
+
 21 Nov 2019, PHP 7.3.12
 
 - Core:
diff --git a/Zend/tests/bug78787.phpt b/Zend/tests/bug78787.phpt
new file mode 100644
index 0000000000..91d5a9aa83
--- /dev/null
+++ b/Zend/tests/bug78787.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #78787: Segfault with trait overriding inherited private shadow property
+--FILE--
+<?php
+
+trait T {
+    private $prop;
+}
+class C1 {
+    /** Doc comment */
+    private $prop;
+}
+class C2 extends C1 {
+}
+class C3 extends C2 {
+    use T;
+}
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/zend_inheritance.c b/Zend/zend_inheritance.c
index 0b0cb314b6..d271b74154 100644
--- a/Zend/zend_inheritance.c
+++ b/Zend/zend_inheritance.c
@@ -1595,10 +1595,14 @@ static void zend_do_traits_property_binding(zend_class_entry *ce) /* {{{ */
 			/* next: check for conflicts with current class */
 			if ((coliding_prop = zend_hash_find_ptr(&ce->properties_info, prop_name)) != NULL) {
 				if (coliding_prop->flags & ZEND_ACC_SHADOW) {
-					zend_string_release_ex(coliding_prop->name, 0);
-					if (coliding_prop->doc_comment) {
-						zend_string_release_ex(coliding_prop->doc_comment, 0);
-                    }
+					/* Only free if shadow is coming from direct parent,
+					 * otherwise these weren't copied in the first place. */
+					if (coliding_prop->ce == ce->parent) {
+						zend_string_release_ex(coliding_prop->name, 0);
+						if (coliding_prop->doc_comment) {
+							zend_string_release_ex(coliding_prop->doc_comment, 0);
+						}
+					}
 					zend_hash_del(&ce->properties_info, prop_name);
 					flags |= ZEND_ACC_CHANGED;
 				} else {
-- 
cgit v1.2.1