From fb34cd90f8a26d32f4eab179c4192d13a87c856c Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikic@php.net>
Date: Sun, 5 Oct 2014 22:58:40 +0200
Subject: [PATCH] Fix $arr =& $arr[0]

value_ptr can be invalidated by the ptr_dtor, so backup the
zend_reference in an extra variable.
---
 Zend/zend_execute.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index e019191a5e..45911a8a99 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -462,10 +462,13 @@ static inline zval *_get_obj_zval_ptr_ptr(int op_type, const znode_op *node, zen
 static inline void zend_assign_to_variable_reference(zval *variable_ptr, zval *value_ptr TSRMLS_DC)
 {
 	if (EXPECTED(variable_ptr != value_ptr)) {
+		zend_reference *ref;
 		ZVAL_MAKE_REF(value_ptr);
 		Z_ADDREF_P(value_ptr);
+		ref = Z_REF_P(value_ptr);
+
 		zval_ptr_dtor(variable_ptr);
-		ZVAL_REF(variable_ptr, Z_REF_P(value_ptr));
+		ZVAL_REF(variable_ptr, ref);
 	} else {
 		ZVAL_MAKE_REF(variable_ptr);
 	}
-- 
2.50.1