Fix double free if post inc of typed property throws

nikic · nikic · commit 0d4471fd28ee · 2019-02-08T12:43:11.000+01:00
We either need to add an extra ref because the copy is used as the
retval, which is freed by HANDLE_EXCEPTION, or we need to undef it
(done here).
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -1680,6 +1680,7 @@ static void zend_incdec_typed_ref(zend_reference *ref, zval *copy, int inc EXECU
 	} else if (UNEXPECTED(!zend_verify_ref_assignable_zval(ref, var_ptr, EX_USES_STRICT_TYPES()))) {
 		zval_ptr_dtor(var_ptr);
 		ZVAL_COPY_VALUE(var_ptr, copy);
+		ZVAL_UNDEF(copy);
 	} else if (copy == &tmp) {
 		zval_ptr_dtor(&tmp);
 	}
@@ -1707,6 +1708,7 @@ static void zend_incdec_typed_prop(zend_property_info *prop_info, zval *var_ptr,
 	} else if (UNEXPECTED(!zend_verify_property_type(prop_info, var_ptr, EX_USES_STRICT_TYPES()))) {
 		zval_ptr_dtor(var_ptr);
 		ZVAL_COPY_VALUE(var_ptr, copy);
+		ZVAL_UNDEF(copy);
 	} else if (copy == &tmp) {
 		zval_ptr_dtor(&tmp);
 	}
