Fixed bug #75241 (Null pointer dereference in zend_mm_alloc_small()).

laruence · laruence · commit b05ff14a9aa8 · 2017-09-24T17:24:11.000+08:00
diff --git a/NEWS b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2017 PHP 7.0.25
 
 - Core:
+  . Fixed bug #75241 (Null pointer dereference in zend_mm_alloc_small()).
+    (Laruence)
   . Fixed bug #75236 (infinite loop when printing an error-message). (Andrea)
   . Fixed bug #75252 (Incorrect token formatting on two parse errors in one
     request). (Nikita)
diff --git a/Zend/tests/bug75241.phpt b/Zend/tests/bug75241.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #75241 (Null pointer dereference in zend_mm_alloc_small())
+--FILE--
+<?php
+function eh(){}
+
+set_error_handler('eh');
+
+$d->d = &$d + $d->d/=0;
+var_dump($d);
+?>
+--EXPECT--
+float(INF)
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
@@ -221,8 +221,10 @@ ZEND_API void ZEND_FASTCALL convert_scalar_to_number(zval *op) /* {{{ */
 					if (Z_TYPE(holder) == IS_LONG) {				\
 						if (op == result) {							\
 							zval_ptr_dtor(op);						\
+							ZVAL_LONG(op, Z_LVAL(holder));			\
+						} else {									\
+							(op) = &(holder);						\
 						}											\
-						(op) = &(holder);							\
 					}												\
 					break;											\
 			}														\
