From: Xinchen Hui <laruence@gmail.com>
Date: Thu, 17 Mar 2016 03:56:32 +0000 (+0800)
Subject: Fixed Bug #71824 (null ptr deref _zval_get_string_func (zend_operators.c:851))
X-Git-Tag: php-7.1.0alpha1~475
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b9aed47a7a9a1e9485317b5b0d5c58ff4cec5456;p=php

Fixed Bug #71824 (null ptr deref _zval_get_string_func (zend_operators.c:851))
---

diff --git a/Zend/tests/bug71824.phpt b/Zend/tests/bug71824.phpt
new file mode 100644
index 0000000000..00af2b6391
--- /dev/null
+++ b/Zend/tests/bug71824.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #71824 (null ptr deref _zval_get_string_func (zend_operators.c:851))
+--INI--
+error_reporting=0
+--FILE--
+<?php
+$z = unserialize('O:1:"A":0:{}');
+var_dump($z->e.=0);
+var_dump(++$z->x);
+var_dump($z->y++);
+
+$y = array(PHP_INT_MAX => 0);
+var_dump($y[] .= 0);
+var_dump(++$y[]);
+var_dump($y[]++);
+?>
+--EXPECT--
+string(1) "0"
+int(1)
+int(1)
+NULL
+NULL
+NULL
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index d0f78344a9..e59db4af53 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -737,14 +737,21 @@ ZEND_VM_HELPER(zend_binary_assign_op_obj_helper, VAR|UNUSED|CV, CONST|TMPVAR|CV,
 		/* here we are sure we are dealing with an object */
 		if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
 			&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, ((OP2_TYPE == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
-
-			ZVAL_DEREF(zptr);
-			SEPARATE_ZVAL_NOREF(zptr);
-
+			zval zv;
+			if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+				ZVAL_NULL(&zv);
+				zptr = &zv;
+			} else {
+				ZVAL_DEREF(zptr);
+				SEPARATE_ZVAL_NOREF(zptr);
+			}
 			binary_op(zptr, zptr, value);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_COPY(EX_VAR(opline->result.var), zptr);
 			}
+			if (UNEXPECTED(zptr == &zv)) {
+				zval_ptr_dtor(zptr);
+			}
 		} else {
 			zend_assign_op_overloaded_property(object, property, ((OP2_TYPE == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
 		}
@@ -1128,8 +1135,14 @@ ZEND_VM_HELPER(zend_pre_incdec_property_helper, VAR|UNUSED|CV, CONST|TMPVAR|CV,
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				SEPARATE_ZVAL_NOREF(zptr);
+				zval zv;
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					ZVAL_NULL(&zv);
+					zptr = &zv;
+				} else {
+					ZVAL_DEREF(zptr);
+					SEPARATE_ZVAL_NOREF(zptr);
+				}
 
 				if (inc) {
 					increment_function(zptr);
@@ -1202,9 +1215,14 @@ ZEND_VM_HELPER(zend_post_incdec_property_helper, VAR|UNUSED|CV, CONST|TMPVAR|CV,
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
-				zval_opt_copy_ctor(zptr);
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					zptr = EX_VAR(opline->result.var);
+					ZVAL_NULL(zptr);
+				} else {
+					ZVAL_DEREF(zptr);
+					ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
+					zval_opt_copy_ctor(zptr);
+				}
 				if (inc) {
 					increment_function(zptr);
 				} else {
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 3913fff161..7fc43191f7 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -17334,14 +17334,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
 		/* here we are sure we are dealing with an object */
 		if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
 			&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, ((IS_CONST == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
-
-			ZVAL_DEREF(zptr);
-			SEPARATE_ZVAL_NOREF(zptr);
-
+			zval zv;
+			if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+				ZVAL_NULL(&zv);
+				zptr = &zv;
+			} else {
+				ZVAL_DEREF(zptr);
+				SEPARATE_ZVAL_NOREF(zptr);
+			}
 			binary_op(zptr, zptr, value);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_COPY(EX_VAR(opline->result.var), zptr);
 			}
+			if (UNEXPECTED(zptr == &zv)) {
+				zval_ptr_dtor(zptr);
+			}
 		} else {
 			zend_assign_op_overloaded_property(object, property, ((IS_CONST == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
 		}
@@ -17723,8 +17730,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				SEPARATE_ZVAL_NOREF(zptr);
+				zval zv;
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					ZVAL_NULL(&zv);
+					zptr = &zv;
+				} else {
+					ZVAL_DEREF(zptr);
+					SEPARATE_ZVAL_NOREF(zptr);
+				}
 
 				if (inc) {
 					increment_function(zptr);
@@ -17796,9 +17809,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
-				zval_opt_copy_ctor(zptr);
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					zptr = EX_VAR(opline->result.var);
+					ZVAL_NULL(zptr);
+				} else {
+					ZVAL_DEREF(zptr);
+					ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
+					zval_opt_copy_ctor(zptr);
+				}
 				if (inc) {
 					increment_function(zptr);
 				} else {
@@ -21683,14 +21701,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
 		/* here we are sure we are dealing with an object */
 		if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
 			&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, ((IS_CV == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
-
-			ZVAL_DEREF(zptr);
-			SEPARATE_ZVAL_NOREF(zptr);
-
+			zval zv;
+			if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+				ZVAL_NULL(&zv);
+				zptr = &zv;
+			} else {
+				ZVAL_DEREF(zptr);
+				SEPARATE_ZVAL_NOREF(zptr);
+			}
 			binary_op(zptr, zptr, value);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_COPY(EX_VAR(opline->result.var), zptr);
 			}
+			if (UNEXPECTED(zptr == &zv)) {
+				zval_ptr_dtor(zptr);
+			}
 		} else {
 			zend_assign_op_overloaded_property(object, property, ((IS_CV == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
 		}
@@ -22072,8 +22097,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				SEPARATE_ZVAL_NOREF(zptr);
+				zval zv;
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					ZVAL_NULL(&zv);
+					zptr = &zv;
+				} else {
+					ZVAL_DEREF(zptr);
+					SEPARATE_ZVAL_NOREF(zptr);
+				}
 
 				if (inc) {
 					increment_function(zptr);
@@ -22145,9 +22176,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
-				zval_opt_copy_ctor(zptr);
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					zptr = EX_VAR(opline->result.var);
+					ZVAL_NULL(zptr);
+				} else {
+					ZVAL_DEREF(zptr);
+					ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
+					zval_opt_copy_ctor(zptr);
+				}
 				if (inc) {
 					increment_function(zptr);
 				} else {
@@ -24223,14 +24259,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
 		/* here we are sure we are dealing with an object */
 		if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
 			&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, (((IS_TMP_VAR|IS_VAR) == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
-
-			ZVAL_DEREF(zptr);
-			SEPARATE_ZVAL_NOREF(zptr);
-
+			zval zv;
+			if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+				ZVAL_NULL(&zv);
+				zptr = &zv;
+			} else {
+				ZVAL_DEREF(zptr);
+				SEPARATE_ZVAL_NOREF(zptr);
+			}
 			binary_op(zptr, zptr, value);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_COPY(EX_VAR(opline->result.var), zptr);
 			}
+			if (UNEXPECTED(zptr == &zv)) {
+				zval_ptr_dtor(zptr);
+			}
 		} else {
 			zend_assign_op_overloaded_property(object, property, (((IS_TMP_VAR|IS_VAR) == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
 		}
@@ -24614,8 +24657,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				SEPARATE_ZVAL_NOREF(zptr);
+				zval zv;
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					ZVAL_NULL(&zv);
+					zptr = &zv;
+				} else {
+					ZVAL_DEREF(zptr);
+					SEPARATE_ZVAL_NOREF(zptr);
+				}
 
 				if (inc) {
 					increment_function(zptr);
@@ -24688,9 +24737,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
-				zval_opt_copy_ctor(zptr);
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					zptr = EX_VAR(opline->result.var);
+					ZVAL_NULL(zptr);
+				} else {
+					ZVAL_DEREF(zptr);
+					ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
+					zval_opt_copy_ctor(zptr);
+				}
 				if (inc) {
 					increment_function(zptr);
 				} else {
@@ -26678,14 +26732,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
 		/* here we are sure we are dealing with an object */
 		if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
 			&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, ((IS_CONST == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
-
-			ZVAL_DEREF(zptr);
-			SEPARATE_ZVAL_NOREF(zptr);
-
+			zval zv;
+			if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+				ZVAL_NULL(&zv);
+				zptr = &zv;
+			} else {
+				ZVAL_DEREF(zptr);
+				SEPARATE_ZVAL_NOREF(zptr);
+			}
 			binary_op(zptr, zptr, value);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_COPY(EX_VAR(opline->result.var), zptr);
 			}
+			if (UNEXPECTED(zptr == &zv)) {
+				zval_ptr_dtor(zptr);
+			}
 		} else {
 			zend_assign_op_overloaded_property(object, property, ((IS_CONST == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
 		}
@@ -27037,8 +27098,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				SEPARATE_ZVAL_NOREF(zptr);
+				zval zv;
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					ZVAL_NULL(&zv);
+					zptr = &zv;
+				} else {
+					ZVAL_DEREF(zptr);
+					SEPARATE_ZVAL_NOREF(zptr);
+				}
 
 				if (inc) {
 					increment_function(zptr);
@@ -27110,9 +27177,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
-				zval_opt_copy_ctor(zptr);
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					zptr = EX_VAR(opline->result.var);
+					ZVAL_NULL(zptr);
+				} else {
+					ZVAL_DEREF(zptr);
+					ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
+					zval_opt_copy_ctor(zptr);
+				}
 				if (inc) {
 					increment_function(zptr);
 				} else {
@@ -29978,14 +30050,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
 		/* here we are sure we are dealing with an object */
 		if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
 			&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, ((IS_CV == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
-
-			ZVAL_DEREF(zptr);
-			SEPARATE_ZVAL_NOREF(zptr);
-
+			zval zv;
+			if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+				ZVAL_NULL(&zv);
+				zptr = &zv;
+			} else {
+				ZVAL_DEREF(zptr);
+				SEPARATE_ZVAL_NOREF(zptr);
+			}
 			binary_op(zptr, zptr, value);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_COPY(EX_VAR(opline->result.var), zptr);
 			}
+			if (UNEXPECTED(zptr == &zv)) {
+				zval_ptr_dtor(zptr);
+			}
 		} else {
 			zend_assign_op_overloaded_property(object, property, ((IS_CV == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
 		}
@@ -30337,8 +30416,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				SEPARATE_ZVAL_NOREF(zptr);
+				zval zv;
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					ZVAL_NULL(&zv);
+					zptr = &zv;
+				} else {
+					ZVAL_DEREF(zptr);
+					SEPARATE_ZVAL_NOREF(zptr);
+				}
 
 				if (inc) {
 					increment_function(zptr);
@@ -30410,9 +30495,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
-				zval_opt_copy_ctor(zptr);
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					zptr = EX_VAR(opline->result.var);
+					ZVAL_NULL(zptr);
+				} else {
+					ZVAL_DEREF(zptr);
+					ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
+					zval_opt_copy_ctor(zptr);
+				}
 				if (inc) {
 					increment_function(zptr);
 				} else {
@@ -32217,14 +32307,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
 		/* here we are sure we are dealing with an object */
 		if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
 			&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, (((IS_TMP_VAR|IS_VAR) == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
-
-			ZVAL_DEREF(zptr);
-			SEPARATE_ZVAL_NOREF(zptr);
-
+			zval zv;
+			if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+				ZVAL_NULL(&zv);
+				zptr = &zv;
+			} else {
+				ZVAL_DEREF(zptr);
+				SEPARATE_ZVAL_NOREF(zptr);
+			}
 			binary_op(zptr, zptr, value);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_COPY(EX_VAR(opline->result.var), zptr);
 			}
+			if (UNEXPECTED(zptr == &zv)) {
+				zval_ptr_dtor(zptr);
+			}
 		} else {
 			zend_assign_op_overloaded_property(object, property, (((IS_TMP_VAR|IS_VAR) == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
 		}
@@ -32577,8 +32674,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				SEPARATE_ZVAL_NOREF(zptr);
+				zval zv;
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					ZVAL_NULL(&zv);
+					zptr = &zv;
+				} else {
+					ZVAL_DEREF(zptr);
+					SEPARATE_ZVAL_NOREF(zptr);
+				}
 
 				if (inc) {
 					increment_function(zptr);
@@ -32651,9 +32754,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
-				zval_opt_copy_ctor(zptr);
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					zptr = EX_VAR(opline->result.var);
+					ZVAL_NULL(zptr);
+				} else {
+					ZVAL_DEREF(zptr);
+					ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
+					zval_opt_copy_ctor(zptr);
+				}
 				if (inc) {
 					increment_function(zptr);
 				} else {
@@ -36753,14 +36861,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
 		/* here we are sure we are dealing with an object */
 		if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
 			&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, ((IS_CONST == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
-
-			ZVAL_DEREF(zptr);
-			SEPARATE_ZVAL_NOREF(zptr);
-
+			zval zv;
+			if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+				ZVAL_NULL(&zv);
+				zptr = &zv;
+			} else {
+				ZVAL_DEREF(zptr);
+				SEPARATE_ZVAL_NOREF(zptr);
+			}
 			binary_op(zptr, zptr, value);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_COPY(EX_VAR(opline->result.var), zptr);
 			}
+			if (UNEXPECTED(zptr == &zv)) {
+				zval_ptr_dtor(zptr);
+			}
 		} else {
 			zend_assign_op_overloaded_property(object, property, ((IS_CONST == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
 		}
@@ -37142,8 +37257,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				SEPARATE_ZVAL_NOREF(zptr);
+				zval zv;
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					ZVAL_NULL(&zv);
+					zptr = &zv;
+				} else {
+					ZVAL_DEREF(zptr);
+					SEPARATE_ZVAL_NOREF(zptr);
+				}
 
 				if (inc) {
 					increment_function(zptr);
@@ -37215,9 +37336,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
-				zval_opt_copy_ctor(zptr);
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					zptr = EX_VAR(opline->result.var);
+					ZVAL_NULL(zptr);
+				} else {
+					ZVAL_DEREF(zptr);
+					ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
+					zval_opt_copy_ctor(zptr);
+				}
 				if (inc) {
 					increment_function(zptr);
 				} else {
@@ -43263,14 +43389,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
 		/* here we are sure we are dealing with an object */
 		if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
 			&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, ((IS_CV == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
-
-			ZVAL_DEREF(zptr);
-			SEPARATE_ZVAL_NOREF(zptr);
-
+			zval zv;
+			if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+				ZVAL_NULL(&zv);
+				zptr = &zv;
+			} else {
+				ZVAL_DEREF(zptr);
+				SEPARATE_ZVAL_NOREF(zptr);
+			}
 			binary_op(zptr, zptr, value);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_COPY(EX_VAR(opline->result.var), zptr);
 			}
+			if (UNEXPECTED(zptr == &zv)) {
+				zval_ptr_dtor(zptr);
+			}
 		} else {
 			zend_assign_op_overloaded_property(object, property, ((IS_CV == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
 		}
@@ -43652,8 +43785,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				SEPARATE_ZVAL_NOREF(zptr);
+				zval zv;
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					ZVAL_NULL(&zv);
+					zptr = &zv;
+				} else {
+					ZVAL_DEREF(zptr);
+					SEPARATE_ZVAL_NOREF(zptr);
+				}
 
 				if (inc) {
 					increment_function(zptr);
@@ -43725,9 +43864,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
-				zval_opt_copy_ctor(zptr);
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					zptr = EX_VAR(opline->result.var);
+					ZVAL_NULL(zptr);
+				} else {
+					ZVAL_DEREF(zptr);
+					ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
+					zval_opt_copy_ctor(zptr);
+				}
 				if (inc) {
 					increment_function(zptr);
 				} else {
@@ -46800,14 +46944,21 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_binary_assign_op_obj_helper_SP
 		/* here we are sure we are dealing with an object */
 		if (EXPECTED(Z_OBJ_HT_P(object)->get_property_ptr_ptr)
 			&& EXPECTED((zptr = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, property, BP_VAR_RW, (((IS_TMP_VAR|IS_VAR) == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL))) != NULL)) {
-
-			ZVAL_DEREF(zptr);
-			SEPARATE_ZVAL_NOREF(zptr);
-
+			zval zv;
+			if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+				ZVAL_NULL(&zv);
+				zptr = &zv;
+			} else {
+				ZVAL_DEREF(zptr);
+				SEPARATE_ZVAL_NOREF(zptr);
+			}
 			binary_op(zptr, zptr, value);
 			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 				ZVAL_COPY(EX_VAR(opline->result.var), zptr);
 			}
+			if (UNEXPECTED(zptr == &zv)) {
+				zval_ptr_dtor(zptr);
+			}
 		} else {
 			zend_assign_op_overloaded_property(object, property, (((IS_TMP_VAR|IS_VAR) == IS_CONST) ? CACHE_ADDR(Z_CACHE_SLOT_P(property)) : NULL), value, binary_op, (UNEXPECTED(RETURN_VALUE_USED(opline)) ? EX_VAR(opline->result.var) : NULL));
 		}
@@ -47191,8 +47342,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_incdec_property_helper_SPE
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				SEPARATE_ZVAL_NOREF(zptr);
+				zval zv;
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					ZVAL_NULL(&zv);
+					zptr = &zv;
+				} else {
+					ZVAL_DEREF(zptr);
+					SEPARATE_ZVAL_NOREF(zptr);
+				}
 
 				if (inc) {
 					increment_function(zptr);
@@ -47265,9 +47422,14 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_incdec_property_helper_SP
 					fast_long_decrement_function(zptr);
 				}
 			} else {
-				ZVAL_DEREF(zptr);
-				ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
-				zval_opt_copy_ctor(zptr);
+				if (UNEXPECTED(Z_ISERROR_P(zptr))) {
+					zptr = EX_VAR(opline->result.var);
+					ZVAL_NULL(zptr);
+				} else {
+					ZVAL_DEREF(zptr);
+					ZVAL_COPY_VALUE(EX_VAR(opline->result.var), zptr);
+					zval_opt_copy_ctor(zptr);
+				}
 				if (inc) {
 					increment_function(zptr);
 				} else {