From 0d4471fd28eea7974b5af7832958e62e546927f6 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri, 8 Feb 2019 12:43:11 +0100
Subject: [PATCH] Fix double free if post inc of typed property throws

We either need to add an extra ref because the copy is used as the
retval, which is freed by HANDLE_EXCEPTION, or we need to undef it
(done here).
---
 Zend/zend_execute.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 92ddef051ea..840c18b150c 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1680,6 +1680,7 @@ static void zend_incdec_typed_ref(zend_reference *ref, zval *copy, int inc EXECU
 	} else if (UNEXPECTED(!zend_verify_ref_assignable_zval(ref, var_ptr, EX_USES_STRICT_TYPES()))) {
 		zval_ptr_dtor(var_ptr);
 		ZVAL_COPY_VALUE(var_ptr, copy);
+		ZVAL_UNDEF(copy);
 	} else if (copy == &tmp) {
 		zval_ptr_dtor(&tmp);
 	}
@@ -1707,6 +1708,7 @@ static void zend_incdec_typed_prop(zend_property_info *prop_info, zval *var_ptr,
 	} else if (UNEXPECTED(!zend_verify_property_type(prop_info, var_ptr, EX_USES_STRICT_TYPES()))) {
 		zval_ptr_dtor(var_ptr);
 		ZVAL_COPY_VALUE(var_ptr, copy);
+		ZVAL_UNDEF(copy);
 	} else if (copy == &tmp) {
 		zval_ptr_dtor(&tmp);
 	}