Fix double free if post inc of typed property throws

We either need to add an extra ref because the copy is used as the
retval, which is freed by HANDLE_EXCEPTION, or we need to undef it
(done here).

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 92ddef051ea687df97c9c13a0038ad14dcb188da..840c18b150cdda7a56d9009465bffed75647f3b4 100644 (file)
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1680,6 +1680,7 @@ static void zend_incdec_typed_ref(zend_reference *ref, zval *copy, int inc EXECU
        } else if (UNEXPECTED(!zend_verify_ref_assignable_zval(ref, var_ptr, EX_USES_STRICT_TYPES()))) {
                zval_ptr_dtor(var_ptr);
                ZVAL_COPY_VALUE(var_ptr, copy);
+               ZVAL_UNDEF(copy);
        } else if (copy == &tmp) {
                zval_ptr_dtor(&tmp);
        }
@@ -1707,6 +1708,7 @@ static void zend_incdec_typed_prop(zend_property_info *prop_info, zval *var_ptr,
        } else if (UNEXPECTED(!zend_verify_property_type(prop_info, var_ptr, EX_USES_STRICT_TYPES()))) {
                zval_ptr_dtor(var_ptr);
                ZVAL_COPY_VALUE(var_ptr, copy);
+               ZVAL_UNDEF(copy);
        } else if (copy == &tmp) {
                zval_ptr_dtor(&tmp);
        }