From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 19 Jun 2019 14:35:12 +0000 (+0200)
Subject: Fixed bug #78182
X-Git-Tag: php-7.4.0alpha2~51^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=268b5fec8e42e82dce398b86a4970ad8875978d3;p=php

Fixed bug #78182
---

diff --git a/NEWS b/NEWS
index 006ed9cebc..50402e8411 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ PHP                                                                        NEWS
   . Fixed bug #78151 (Segfault caused by indirect expressions in PHP 7.4a1).
     (Nikita)
   . Fixed bug #78154 (SEND_VAR_NO_REF does not always send reference). (Nikita)
+  . Fixed bug #78182 (Segmentation fault during by-reference property
+    assignment). (Nikita)
 
 - Date:
   . Fixed #69044 (discrepency between time and microtime). (krakjoe)
diff --git a/Zend/tests/bug78182.phpt b/Zend/tests/bug78182.phpt
new file mode 100644
index 0000000000..4b0f08dc3b
--- /dev/null
+++ b/Zend/tests/bug78182.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #78182: Segmentation fault during by-reference property assignment
+--FILE--
+<?php
+$varName = 'var';
+$propName = 'prop';
+$$varName->$propName =& $$varName;
+var_dump($var);
+?>
+--EXPECTF--
+Warning: Creating default object from empty value in %s on line %d
+object(stdClass)#1 (1) {
+  ["prop"]=>
+  *RECURSION*
+}
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index faa677e44d..5588ada56a 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -2826,6 +2826,7 @@ static zend_always_inline void zend_assign_to_property_reference(zval *container
 		if (prop_op_type == IS_CONST) {
 			prop_info = (zend_property_info *) CACHED_PTR_EX(cache_addr + 2);
 		} else {
+			ZVAL_DEREF(container);
 			prop_info = zend_object_fetch_property_type_info(Z_OBJ_P(container), variable_ptr);
 		}