Fixed bug #73900

Author: nikic

NEWS

@@ -6,6 +6,7 @@ PHP                                                                        NEWS
   . Fixed bug #74780 (parse_url() borken when query string contains colon). 
     (jhdxr)
   . Fixed bug #74761 (Unary operator expected error on some systems). (petk)
+  . Fixed bug #73900 (Use After Free in unserialize() SplFixedArray). (nikic)
 
 - SPL:
   . Fixed bug #73471 (PHP freezes with AppendIterator). (jhdxr)

Zend/tests/bug73900.phpt

@@ -0,0 +1,15 @@
+--TEST--
+Bug #73900: Use After Free in unserialize() SplFixedArray
+--FILE--
+<?php
+
+$a = new stdClass;
+$b = new SplFixedArray(1);
+$b[0] = $a;
+$c = &$b[0];
+var_dump($c);
+
+?>
+--EXPECT--
+object(stdClass)#1 (0) {
+}

Zend/zend_execute.c

@@ -1758,16 +1758,9 @@ static zend_always_inline void zend_fetch_dimension_address(zval *result, zval *
 				zend_error(E_NOTICE, "Indirect modification of overloaded element of %s has no effect", ZSTR_VAL(ce->name));
 			} else if (EXPECTED(retval && Z_TYPE_P(retval) != IS_UNDEF)) {
 				if (!Z_ISREF_P(retval)) {
-					if (Z_REFCOUNTED_P(retval) &&
-					    Z_REFCOUNT_P(retval) > 1) {
-						if (Z_TYPE_P(retval) != IS_OBJECT) {
-							Z_DELREF_P(retval);
-							ZVAL_DUP(result, retval);
-							retval = result;
-						} else {
-							ZVAL_COPY_VALUE(result, retval);
-							retval = result;
-						}
+					if (result != retval) {
+						ZVAL_COPY(result, retval);
+						retval = result;
 					}
 					if (Z_TYPE_P(retval) != IS_OBJECT) {
 						zend_class_entry *ce = Z_OBJCE_P(container);