Fixed bug #36071 (Engine Crash related with 'clone')

diff --git a/Zend/tests/bug36071.phpt b/Zend/tests/bug36071.phpt
new file mode 100755 (executable)
index 0000000..3b8e05d
--- /dev/null
+++ b/Zend/tests/bug36071.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #36071 (Engine Crash related with 'clone')
+--INI--
+error_reporting=4095
+--FILE--
+<?php
+$a = clone 0;
+$a[0]->b = 0;
+echo "ok\n";
+?>
+--EXPECTF--
+Warning: __clone method called on non-object in %sbug36071.php on line 2
+ok
\ No newline at end of file

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index ed670f1ec7fcfd09a4f070921d508355be4dbfe5..e8a9965bfbf72448541015658d25e35db1079f28 100644 (file)
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -569,6 +569,16 @@ static inline void zend_assign_to_object(znode *result, zval **object_ptr, znode
        zval *value = get_zval_ptr(value_op, Ts, &free_value, BP_VAR_R);
        zval **retval = &T(result->u.var).var.ptr;
 
+       if (*object_ptr == EG(error_zval_ptr)) {
+               FREE_OP(free_op2);
+               if (!RETURN_VALUE_UNUSED(result)) {
+                       *retval = EG(uninitialized_zval_ptr);
+                       PZVAL_LOCK(*retval);
+               }
+               FREE_OP(free_value);
+               return;
+       }
+
        make_real_object(object_ptr TSRMLS_CC); /* this should modify object only if it's empty */
        object = *object_ptr;