From: Nikita Popov <nikic@php.net>
Date: Wed, 24 Feb 2016 16:39:16 +0000 (+0100)
Subject: Fix leak on assignment to illegal AO offset
X-Git-Tag: php-7.0.5RC1~65
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=eb885e9d6ebc6670d1ccc6d5c0fa26e411ffb0fb;p=php

Fix leak on assignment to illegal AO offset
---

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 9ddd38bccf..0740c063e9 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -439,19 +439,16 @@ static void spl_array_write_dimension_ex(int check_inherited, zval *object, zval
 		return;
 	}
 
+	if (Z_REFCOUNTED_P(value)) {
+		Z_ADDREF_P(value);
+	}
+
 	if (!offset) {
 		ht = spl_array_get_hash_table(intern);
-		if (Z_REFCOUNTED_P(value)) {
-			Z_ADDREF_P(value);
-		}
 		zend_hash_next_index_insert(ht, value);
 		return;
 	}
 
-	if (Z_REFCOUNTED_P(value)) {
-		Z_ADDREF_P(value);
-	}
-
 try_again:
 	switch (Z_TYPE_P(offset)) {
 		case IS_STRING:
@@ -485,6 +482,7 @@ num_index:
 			goto try_again;
 		default:
 			zend_error(E_WARNING, "Illegal offset type");
+			zval_ptr_dtor(value);
 			return;
 	}
 } /* }}} */
diff --git a/ext/spl/tests/ArrayObject_illegal_offset_leak.phpt b/ext/spl/tests/ArrayObject_illegal_offset_leak.phpt
new file mode 100644
index 0000000000..42c649db9f
--- /dev/null
+++ b/ext/spl/tests/ArrayObject_illegal_offset_leak.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Assignments to illegal ArrayObject offsets shouldn't leak
+--FILE--
+<?php
+
+$ao = new ArrayObject([1, 2, 3]);
+$ao[[]] = new stdClass;
+
+?>
+--EXPECTF--
+Warning: Illegal offset type in %s on line %d