Fix memory leak with ** on array operands

nikic · nikic · commit ab938d7bbc3c · 2019-09-26T13:45:45.000+02:00
diff --git a/Zend/tests/pow_array_leak.phpt b/Zend/tests/pow_array_leak.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Memory leak on ** with result==op1 array
+--FILE--
+<?php
+
+$x = [0];
+$x **= 1;
+var_dump($x);
+
+$x = [0];
+$x **= $x;
+var_dump($x);
+
+?>
+--EXPECT--
+int(0)
+int(0)
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
@@ -1128,19 +1128,28 @@ ZEND_API int ZEND_FASTCALL pow_function(zval *result, zval *op1, zval *op2) /* {
 
 					if (EXPECTED(op1 != op2)) {
 						if (Z_TYPE_P(op1) == IS_ARRAY) {
+							if (op1 == result) {
+								zval_ptr_dtor(result);
+							}
 							ZVAL_LONG(result, 0);
 							return SUCCESS;
 						} else {
 							zendi_convert_scalar_to_number(op1, op1_copy, result, 0);
 						}
 						if (Z_TYPE_P(op2) == IS_ARRAY) {
+							if (op1 == result) {
+								zval_ptr_dtor(result);
+							}
 							ZVAL_LONG(result, 1L);
 							return SUCCESS;
 						} else {
 							zendi_convert_scalar_to_number(op2, op2_copy, result, 0);
 						}
 					} else {
 						if (Z_TYPE_P(op1) == IS_ARRAY) {
+							if (op1 == result) {
+								zval_ptr_dtor(result);
+							}
 							ZVAL_LONG(result, 0);
 							return SUCCESS;
 						} else {
