Fixed bug #73960

3 files changed, 22 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 485896272f..b598d4ddd0 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,8 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug #73370 (falsely exits with "Out of Memory" when using
     USE_ZEND_ALLOC=0). (Nikita)
+  . Fixed bug #73960 (Leak with instance method calling static method with
+    referenced return). (Nikita)
 
 - Date:
   . Fixed bug #72096 (Swatch time value incorrect for dates before 1970). (mcq8)
diff --git a/Zend/tests/bug73960.phpt b/Zend/tests/bug73960.phpt
new file mode 100644
index 0000000000..533c87afb0
--- /dev/null
+++ b/Zend/tests/bug73960.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #73960: Leak with instance method calling static method with referenced return
+--FILE--
+<?php
+
+$value = 'one';
+$array = array($value);
+$array = $ref =& $array;
+var_dump($array);
+
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(3) "one"
+}
diff --git a/Zend/zend_execute.h b/Zend/zend_execute.h
index d98fe05343..f010f0a45d 100644
--- a/Zend/zend_execute.h
+++ b/Zend/zend_execute.h
@@ -79,6 +79,10 @@ static zend_always_inline zval* zend_assign_to_variable(zval *variable_ptr, zval
 				return variable_ptr;
 			}
 			if (ZEND_CONST_COND(value_type & (IS_VAR|IS_CV), 1) && variable_ptr == value) {
+				if (value_type == IS_VAR && ref) {
+					ZEND_ASSERT(GC_REFCOUNT(ref) > 1);
+					--GC_REFCOUNT(ref);
+				}
 				return variable_ptr;
 			}
 			garbage = Z_COUNTED_P(variable_ptr);