From 951e29f66ec61c21588e10ab202f867f302d572e Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Tue, 5 Jun 2018 17:15:57 +0800
Subject: [PATCH] Fixed bug #76410 (SIGV in zend_mm_alloc_small)

---
 NEWS                 | 1 +
 ext/standard/array.c | 8 +++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index bd0705c452..b9f6635825 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,7 @@ PHP                                                                        NEWS
   . Fixed bug #76367 (NoRewindIterator segfault 11). (Laruence)
 
 - Standard:
+  . Fixed bug #76410 (SIGV in zend_mm_alloc_small). (Laruence)
   . Fixed bug #76335 ("link(): Bad file descriptor" with non-ASCII path).
     (Anatol)
 
diff --git a/ext/standard/array.c b/ext/standard/array.c
index 382fb72beb..b3852619d6 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -2533,7 +2533,13 @@ PHP_FUNCTION(extract)
 				count = php_extract_if_exists(Z_ARRVAL_P(var_array_param), symbol_table);
 				break;
 			case EXTR_OVERWRITE:
-				count = php_extract_overwrite(Z_ARRVAL_P(var_array_param), symbol_table);
+				{
+					zval zv;
+					/* The array might be stored in a local variable that will be overwritten */
+					ZVAL_COPY(&zv, var_array_param);
+					count = php_extract_overwrite(Z_ARRVAL(zv), symbol_table);
+					zval_ptr_dtor(&zv);
+				}
 				break;
 			case EXTR_PREFIX_IF_EXISTS:
 				count = php_extract_prefix_if_exists(Z_ARRVAL_P(var_array_param), symbol_table, prefix);
-- 
2.50.0