From 09b36113b0ed2121610255088bb6742db64a2a33 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Fri, 9 Dec 2016 22:30:24 +0800
Subject: [PATCH] Fix the bug in ZEND_ASSIGN_DIM (as nikic suggest)

---
 Zend/zend_vm_def.h     |  2 +-
 Zend/zend_vm_execute.h | 32 ++++++++++++++++----------------
 ext/spl/spl_array.c    |  5 -----
 3 files changed, 17 insertions(+), 22 deletions(-)

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 77f1e454db..756ed9443a 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -2419,7 +2419,7 @@ ZEND_VM_C_LABEL(try_assign_dim_array):
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = GET_OP2_ZVAL_PTR(BP_VAR_R);
-			value = GET_OP_DATA_ZVAL_PTR(BP_VAR_R);
+			value = GET_OP_DATA_ZVAL_PTR_DEREF(BP_VAR_R);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 10570895c0..ea203c1ad0 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -19582,7 +19582,7 @@ try_assign_dim_array:
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = EX_CONSTANT(opline->op2);
-			value = _get_zval_ptr_var((opline+1)->op1.var, execute_data, &free_op_data);
+			value = _get_zval_ptr_var_deref((opline+1)->op1.var, execute_data, &free_op_data);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
@@ -19674,7 +19674,7 @@ try_assign_dim_array:
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = EX_CONSTANT(opline->op2);
-			value = _get_zval_ptr_cv_BP_VAR_R(execute_data, (opline+1)->op1.var);
+			value = _get_zval_ptr_cv_deref_BP_VAR_R(execute_data, (opline+1)->op1.var);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
@@ -21531,7 +21531,7 @@ try_assign_dim_array:
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = NULL;
-			value = _get_zval_ptr_var((opline+1)->op1.var, execute_data, &free_op_data);
+			value = _get_zval_ptr_var_deref((opline+1)->op1.var, execute_data, &free_op_data);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
@@ -21623,7 +21623,7 @@ try_assign_dim_array:
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = NULL;
-			value = _get_zval_ptr_cv_BP_VAR_R(execute_data, (opline+1)->op1.var);
+			value = _get_zval_ptr_cv_deref_BP_VAR_R(execute_data, (opline+1)->op1.var);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
@@ -24371,7 +24371,7 @@ try_assign_dim_array:
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = _get_zval_ptr_cv_BP_VAR_R(execute_data, opline->op2.var);
-			value = _get_zval_ptr_var((opline+1)->op1.var, execute_data, &free_op_data);
+			value = _get_zval_ptr_var_deref((opline+1)->op1.var, execute_data, &free_op_data);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
@@ -24463,7 +24463,7 @@ try_assign_dim_array:
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = _get_zval_ptr_cv_BP_VAR_R(execute_data, opline->op2.var);
-			value = _get_zval_ptr_cv_BP_VAR_R(execute_data, (opline+1)->op1.var);
+			value = _get_zval_ptr_cv_deref_BP_VAR_R(execute_data, (opline+1)->op1.var);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
@@ -27321,7 +27321,7 @@ try_assign_dim_array:
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = _get_zval_ptr_var(opline->op2.var, execute_data, &free_op2);
-			value = _get_zval_ptr_var((opline+1)->op1.var, execute_data, &free_op_data);
+			value = _get_zval_ptr_var_deref((opline+1)->op1.var, execute_data, &free_op_data);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
@@ -27413,7 +27413,7 @@ try_assign_dim_array:
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = _get_zval_ptr_var(opline->op2.var, execute_data, &free_op2);
-			value = _get_zval_ptr_cv_BP_VAR_R(execute_data, (opline+1)->op1.var);
+			value = _get_zval_ptr_cv_deref_BP_VAR_R(execute_data, (opline+1)->op1.var);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
@@ -39313,7 +39313,7 @@ try_assign_dim_array:
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = EX_CONSTANT(opline->op2);
-			value = _get_zval_ptr_var((opline+1)->op1.var, execute_data, &free_op_data);
+			value = _get_zval_ptr_var_deref((opline+1)->op1.var, execute_data, &free_op_data);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
@@ -39405,7 +39405,7 @@ try_assign_dim_array:
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = EX_CONSTANT(opline->op2);
-			value = _get_zval_ptr_cv_BP_VAR_R(execute_data, (opline+1)->op1.var);
+			value = _get_zval_ptr_cv_deref_BP_VAR_R(execute_data, (opline+1)->op1.var);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
@@ -42457,7 +42457,7 @@ try_assign_dim_array:
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = NULL;
-			value = _get_zval_ptr_var((opline+1)->op1.var, execute_data, &free_op_data);
+			value = _get_zval_ptr_var_deref((opline+1)->op1.var, execute_data, &free_op_data);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
@@ -42549,7 +42549,7 @@ try_assign_dim_array:
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = NULL;
-			value = _get_zval_ptr_cv_BP_VAR_R(execute_data, (opline+1)->op1.var);
+			value = _get_zval_ptr_cv_deref_BP_VAR_R(execute_data, (opline+1)->op1.var);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
@@ -46237,7 +46237,7 @@ try_assign_dim_array:
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = _get_zval_ptr_cv_BP_VAR_R(execute_data, opline->op2.var);
-			value = _get_zval_ptr_var((opline+1)->op1.var, execute_data, &free_op_data);
+			value = _get_zval_ptr_var_deref((opline+1)->op1.var, execute_data, &free_op_data);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
@@ -46329,7 +46329,7 @@ try_assign_dim_array:
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = _get_zval_ptr_cv_BP_VAR_R(execute_data, opline->op2.var);
-			value = _get_zval_ptr_cv_BP_VAR_R(execute_data, (opline+1)->op1.var);
+			value = _get_zval_ptr_cv_deref_BP_VAR_R(execute_data, (opline+1)->op1.var);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
@@ -50314,7 +50314,7 @@ try_assign_dim_array:
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = _get_zval_ptr_var(opline->op2.var, execute_data, &free_op2);
-			value = _get_zval_ptr_var((opline+1)->op1.var, execute_data, &free_op_data);
+			value = _get_zval_ptr_var_deref((opline+1)->op1.var, execute_data, &free_op_data);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
@@ -50406,7 +50406,7 @@ try_assign_dim_array:
 		}
 		if (EXPECTED(Z_TYPE_P(object_ptr) == IS_OBJECT)) {
 			dim = _get_zval_ptr_var(opline->op2.var, execute_data, &free_op2);
-			value = _get_zval_ptr_cv_BP_VAR_R(execute_data, (opline+1)->op1.var);
+			value = _get_zval_ptr_cv_deref_BP_VAR_R(execute_data, (opline+1)->op1.var);
 
 			zend_assign_to_object_dim(object_ptr, dim, value);
 
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index d3fbb95991..bddf64ee57 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -473,11 +473,6 @@ static void spl_array_write_dimension_ex(int check_inherited, zval *object, zval
 		return;
 	}
 
-	if (UNEXPECTED(Z_ISREF_P(value) &&
-		Z_REFCOUNTED_P(value) == 1)) {
-		ZVAL_UNREF(value);
-	}
-
 	if (Z_REFCOUNTED_P(value)) {
 		Z_ADDREF_P(value);
 	}
-- 
2.50.1