Fixed bug #72911 (Memleak in zend_binary_assign_op_obj_helper)

diff --git a/NEWS b/NEWS
index 2726658215dc9e443a7b7b4aadb6f6317c363971..ebc273c0237855d244dd65c949ddad78cdf83d2d 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2016 PHP 7.0.11
 
 - Core:
+  . Fixed bug #72911 (Memleak in zend_binary_assign_op_obj_helper). (Laruence)
   . Fixed bug #72813 (Segfault with __get returned by ref). (Laruence)
   . Fixed bug #72767 (PHP Segfaults when trying to expand an infinite operator).
     (Nikita)

diff --git a/Zend/tests/bug72911.phpt b/Zend/tests/bug72911.phpt
new file mode 100644 (file)
index 0000000..098261c
--- /dev/null
+++ b/Zend/tests/bug72911.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #72911 (Memleak in zend_binary_assign_op_obj_helper)
+--FILE--
+<?php
+
+$a = 0;
+
+$b = $a->b->i -= 0;
+
+var_dump($b);
+
+?>
+--EXPECTF--
+Warning: Attempt to modify property of non-object in %sbug72911.php on line %d
+
+Warning: Attempt to assign property of non-object in %sbug72911.php on line %d
+NULL

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index a2ef9c3f4deefcaed5c36040503272fa4dbc136a..9a3f69e026a6551b2d43146bf07685bca90f8fc0 100644 (file)
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -595,7 +595,9 @@ static inline void zend_assign_to_variable_reference(zval *variable_ptr, zval *v
 static inline int make_real_object(zval *object)
 {
        if (UNEXPECTED(Z_TYPE_P(object) != IS_OBJECT)) {
-               if (EXPECTED(Z_TYPE_P(object) <= IS_FALSE)) {
+               if (UNEXPECTED(object == &EG(error_zval))) {
+                       return 0;
+               } else if (EXPECTED(Z_TYPE_P(object) <= IS_FALSE)) {
                        /* nothing to destroy */
                } else if (EXPECTED((Z_TYPE_P(object) == IS_STRING && Z_STRLEN_P(object) == 0))) {
                        zval_ptr_dtor_nogc(object);