From 90fae56e2277fce76f8d9223c1b0a3d5b625915f Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Wed, 29 Mar 2023 14:37:52 +0200
Subject: [PATCH] Fix incorrect zval type_flags in
 preg_replace_callback_array() for immutable arrays

The ZVAL_ARR macro always set the zval type_info to IS_ARRAY_EX, even if the
hash table is immutable. Since in preg_replace_callback_array() we can return
the passed array directly, and that passed array can be immutable, we need to
reset the type_flags to keep the VM from performing ref-counting on the array.

Fixes GH-10968
---
 ext/pcre/php_pcre.c         |  6 +++++-
 ext/pcre/tests/gh10968.phpt | 11 +++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 ext/pcre/tests/gh10968.phpt

diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c
index a8d3559ef5beb..7c08f5ae45123 100644
--- a/ext/pcre/php_pcre.c
+++ b/ext/pcre/php_pcre.c
@@ -2479,7 +2479,11 @@ PHP_FUNCTION(preg_replace_callback_array)
 	}
 
 	if (subject_ht) {
-		RETURN_ARR(subject_ht);
+		RETVAL_ARR(subject_ht);
+		if (GC_FLAGS(subject_ht) & GC_IMMUTABLE) {
+			Z_TYPE_FLAGS_P(return_value) = 0;
+		}
+		return;
 	} else {
 		RETURN_STR(subject_str);
 	}
diff --git a/ext/pcre/tests/gh10968.phpt b/ext/pcre/tests/gh10968.phpt
new file mode 100644
index 0000000000000..873d17e79da86
--- /dev/null
+++ b/ext/pcre/tests/gh10968.phpt
@@ -0,0 +1,11 @@
+--TEST--
+GH-10968: preg_replace_callback_array() segmentation fault
+--FILE--
+<?php
+var_dump(preg_replace_callback_array([], []));
+var_dump(preg_replace_callback_array([], ''));
+?>
+--EXPECT--
+array(0) {
+}
+string(0) ""