From 5eb5dfa5362bebe74321a90b62c3a0bc0e825cdd Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Wed, 8 Jun 2005 19:54:46 +0000
Subject: [PATCH] Fixed memory allocation bugs in array_reduce() with initial
 value (#22463 & #24980)

---
 ext/standard/array.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/ext/standard/array.c b/ext/standard/array.c
index d2ed1c7eff..953b667507 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -3863,8 +3863,11 @@ PHP_FUNCTION(array_reduce)
 	efree(callback_name);
 
 	if (ZEND_NUM_ARGS() > 2) {
-		convert_to_long_ex(initial);
-		result = *initial;
+		ALLOC_ZVAL(result);
+		*result = **initial;
+		zval_copy_ctor(result);
+		convert_to_long(result);
+		INIT_PZVAL(result);
 	} else {
 		MAKE_STD_ZVAL(result);
 		ZVAL_NULL(result);
@@ -3880,6 +3883,7 @@ PHP_FUNCTION(array_reduce)
 		if (result) {
 			*return_value = *result;
 			zval_copy_ctor(return_value);
+			zval_ptr_dtor(&result);
 		}
 		return;
 	}
-- 
2.50.1