Fix bug #67111

Loop variables need to be freed for both "break" and "continue".

I'm adding the test to Zend/ because it's good to have a test for
this even without opcache.

3 files changed, 27 insertions, 3 deletions

diff --git a/NEWS b/NEWS
index 4a321a5873..8d6fdff92b 100644
--- a/NEWS
+++ b/NEWS
@@ -31,6 +31,10 @@ PHP                                                                        NEWS
 - Mcrypt:
   . Fixed possible read after end of buffer and use after free. (Dmitry)
 
+- Opcache:
+  . Fixed bug #67111 (Memory leak when using "continue 2" inside two foreach
+    loops). (Nikita)
+
 - Pcntl:
   . Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler
     when setting SIG_DFL). (Julien)
diff --git a/Zend/tests/bug67111.phpt b/Zend/tests/bug67111.phpt
new file mode 100644
index 0000000000..0fdfdfb517
--- /dev/null
+++ b/Zend/tests/bug67111.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #67111: Memory leak when using "continue 2" inside two foreach loops
+--FILE--
+<?php
+
+$array1 = [1, 2, 3];
+$array2 = [1, 2, 3];
+
+foreach ($array1 as $x) {
+    foreach ($array2 as $y) {
+        echo "$x.$y\n";
+        continue 2;
+    }
+}
+
+?>
+--EXPECT--
+1.1
+2.1
+3.1
diff --git a/ext/opcache/Optimizer/pass2.c b/ext/opcache/Optimizer/pass2.c
index 30708a0935..8704b787a9 100644
--- a/ext/opcache/Optimizer/pass2.c
+++ b/ext/opcache/Optimizer/pass2.c
@@ -175,9 +175,9 @@ if (ZEND_OPTIMIZER_PASS_2 & OPTIMIZATION_LEVEL) {
 						jmp_to = &op_array->brk_cont_array[array_offset];
 						array_offset = jmp_to->parent;
 						if (--nest_levels > 0) {
-							if (opline->opcode == ZEND_BRK &&
-							    (op_array->opcodes[jmp_to->brk].opcode == ZEND_FREE ||
-							     op_array->opcodes[jmp_to->brk].opcode == ZEND_SWITCH_FREE)) {
+							if (op_array->opcodes[jmp_to->brk].opcode == ZEND_FREE ||
+							    op_array->opcodes[jmp_to->brk].opcode == ZEND_SWITCH_FREE
+							) {
 								dont_optimize = 1;
 								break;
 							}