Fix leak on assignment to illegal AO offset

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 9ddd38bccfef19c2d21d63e6e2ffbcea8128673e..0740c063e961b45b9012b6e6c0f8eff87c91c9b8 100644 (file)
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -439,19 +439,16 @@ static void spl_array_write_dimension_ex(int check_inherited, zval *object, zval
                return;
        }
 
+       if (Z_REFCOUNTED_P(value)) {
+               Z_ADDREF_P(value);
+       }
+
        if (!offset) {
                ht = spl_array_get_hash_table(intern);
-               if (Z_REFCOUNTED_P(value)) {
-                       Z_ADDREF_P(value);
-               }
                zend_hash_next_index_insert(ht, value);
                return;
        }
 
-       if (Z_REFCOUNTED_P(value)) {
-               Z_ADDREF_P(value);
-       }
-
 try_again:
        switch (Z_TYPE_P(offset)) {
                case IS_STRING:
@@ -485,6 +482,7 @@ num_index:
                        goto try_again;
                default:
                        zend_error(E_WARNING, "Illegal offset type");
+                       zval_ptr_dtor(value);
                        return;
        }
 } /* }}} */

diff --git a/ext/spl/tests/ArrayObject_illegal_offset_leak.phpt b/ext/spl/tests/ArrayObject_illegal_offset_leak.phpt
new file mode 100644 (file)
index 0000000..42c649d
--- /dev/null
+++ b/ext/spl/tests/ArrayObject_illegal_offset_leak.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Assignments to illegal ArrayObject offsets shouldn't leak
+--FILE--
+<?php
+
+$ao = new ArrayObject([1, 2, 3]);
+$ao[[]] = new stdClass;
+
+?>
+--EXPECTF--
+Warning: Illegal offset type in %s on line %d