Fixed bug #76846

NEWS

@@ -5,6 +5,8 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug #76901 (method_exists on SPL iterator passthrough method corrupts
     memory). (Nikita)
+  . Fixed bug #76846 (Segfault in shutdown function after memory limit error).
+    (Nikita)
 
 - CURL:
   . Fixed bug #76480 (Use curl_multi_wait() so that timeouts are respected).

Zend/tests/bug76846.phpt

@@ -0,0 +1,27 @@
+--TEST--
+Bug #76846: Segfault in shutdown function after memory limit error
+--INI--
+memory_limit=33M
+--SKIPIF--
+<?php
+$zend_mm_enabled = getenv("USE_ZEND_ALLOC");
+if ($zend_mm_enabled === "0") {
+	die("skip Zend MM disabled");
+}
+?>
+--FILE--
+<?php
+
+register_shutdown_function(function() {
+    new stdClass;
+});
+
+$ary = [];
+while (true) {
+    $ary[] = new stdClass;
+}
+
+?>
+--EXPECTF--
+Fatal error: Allowed memory size of %d bytes exhausted at %s:%d (tried to allocate %d bytes) in %s on line %d
+%A

Zend/zend_objects_API.c

@@ -116,8 +116,10 @@ ZEND_API void zend_objects_store_put(zend_object *object)
 		EG(objects_store).free_list_head = GET_OBJ_BUCKET_NUMBER(EG(objects_store).object_buckets[handle]);
 	} else {
 		if (EG(objects_store).top == EG(objects_store).size) {
-			EG(objects_store).size <<= 1;
-			EG(objects_store).object_buckets = (zend_object **) erealloc(EG(objects_store).object_buckets, EG(objects_store).size * sizeof(zend_object*));
+			uint32_t new_size = 2 * EG(objects_store).size;
+			EG(objects_store).object_buckets = (zend_object **) erealloc(EG(objects_store).object_buckets, new_size * sizeof(zend_object*));
+			/* Assign size after realloc, in case it fails */
+			EG(objects_store).size = new_size;
 		}
 		handle = EG(objects_store).top++;
 	}