Fixed bug #75241 (Null pointer dereference in zend_mm_alloc_small()).

3 files changed, 18 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index f1cc520650..37520dc7d3 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2017 PHP 7.0.25
 
 - Core:
+  . Fixed bug #75241 (Null pointer dereference in zend_mm_alloc_small()).
+    (Laruence)
   . Fixed bug #75236 (infinite loop when printing an error-message). (Andrea)
   . Fixed bug #75252 (Incorrect token formatting on two parse errors in one
     request). (Nikita)
diff --git a/Zend/tests/bug75241.phpt b/Zend/tests/bug75241.phpt
new file mode 100644
index 0000000000..1751bbee76
--- /dev/null
+++ b/Zend/tests/bug75241.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #75241 (Null pointer dereference in zend_mm_alloc_small())
+--FILE--
+<?php
+function eh(){}
+
+set_error_handler('eh');
+
+$d->d = &$d + $d->d/=0;
+var_dump($d);
+?>
+--EXPECT--
+float(INF)
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index 3a8929b83f..d87dba919b 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -221,8 +221,10 @@ try_again:
 					if (Z_TYPE(holder) == IS_LONG) {				\
 						if (op == result) {							\
 							zval_ptr_dtor(op);						\
+							ZVAL_LONG(op, Z_LVAL(holder));			\
+						} else {									\
+							(op) = &(holder);						\
 						}											\
-						(op) = &(holder);							\
 					}												\
 					break;											\
 			}														\