From 247105ae1ae2a04608078f7fcfe88dacab9f55a4 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 26 Aug 2020 16:10:29 +0200
Subject: [PATCH] Property handle read_property exception in
 fetch_property_address

Otherwise we leak (and corrupt uninitialized_zval).
---
 ...ception_during_by_reference_magic_get.phpt | 23 +++++++++++++++++++
 Zend/zend_execute.c                           |  4 ++++
 2 files changed, 27 insertions(+)
 create mode 100644 Zend/tests/exception_during_by_reference_magic_get.phpt

diff --git a/Zend/tests/exception_during_by_reference_magic_get.phpt b/Zend/tests/exception_during_by_reference_magic_get.phpt
new file mode 100644
index 0000000000..5732e8cc5a
--- /dev/null
+++ b/Zend/tests/exception_during_by_reference_magic_get.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Exception thrown by __get() during =& assignment
+--FILE--
+<?php
+
+class Test {
+    private $x;
+    public function &__get($name) {
+        throw new Exception("Foobar");
+    }
+}
+
+$test = new Test;
+$y = 5;
+try {
+    $test->x =& $y;
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Foobar
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index c5b502501e..6a6ad61094 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -2872,6 +2872,10 @@ static zend_always_inline void zend_fetch_property_address(zval *result, zval *c
 			}
 			return;
 		}
+		if (UNEXPECTED(EG(exception))) {
+			ZVAL_ERROR(result);
+			return;
+		}
 	} else if (UNEXPECTED(Z_ISERROR_P(ptr))) {
 		ZVAL_ERROR(result);
 		return;
-- 
2.50.1