Correctly destroy reference in ArrayObject sort

The reference may be captured in an exception backtrace, in which
case the refcount may be more than one.

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 2806f93281f4cf2b8f8d239d7b82a13f6a5fb929..284bb71c81de794ca52d04bc2aa79b525ad3b635 100644 (file)
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1470,7 +1470,8 @@ exit:
                } else {
                        GC_DELREF(aht);
                }
-               efree(Z_REF(params[0]));
+               ZVAL_NULL(Z_REFVAL(params[0]));
+               zval_ptr_dtor(&params[0]);
                zend_string_free(Z_STR(function_name));
        }
 } /* }}} */