Fixed bug #76713 (Segmentation fault caused by property corruption)

3 files changed, 46 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 5ad7f9ad59..c1c62716f8 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,10 @@ PHP                                                                        NEWS
   . Fixed bug #76595 (phpdbg man page contains outdated information).
     (Kevin Abel)
 
+- Standard:
+  . Fixed bug #76713 (Segmentation fault caused by property corruption).
+    (Laruence)
+
 - zlib:
   . Fixed bug #65988 (Zlib version check fails when an include/zlib/ style dir
     is passed to the --with-zlib configure option). (Jay Bonci)
diff --git a/ext/standard/array.c b/ext/standard/array.c
index ed917d71d0..187b7182a4 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -4113,6 +4113,9 @@ static inline zval *array_column_fetch_prop(zval *data, zval *name, zval *rv) /*
 			prop = Z_OBJ_HANDLER_P(data, read_property)(data, name, BP_VAR_R, NULL, rv);
 			if (prop) {
 				ZVAL_DEREF(prop);
+				if (prop != rv) {
+					Z_TRY_ADDREF_P(prop);
+				}
 			}
 		}
 	} else if (Z_TYPE_P(data) == IS_ARRAY) {
diff --git a/ext/standard/tests/array/bug76713.phpt b/ext/standard/tests/array/bug76713.phpt
new file mode 100644
index 0000000000..0c993f5721
--- /dev/null
+++ b/ext/standard/tests/array/bug76713.phpt
@@ -0,0 +1,39 @@
+--TEST--
+Bug #76713 (Segmentation fault caused by property corruption)
+--FILE--
+<?php
+
+function test($obj) {
+	return array_column(array($obj), "prop");
+}
+
+$obj = new Stdclass();
+
+$obj->prop = str_pad("a", 10, 'a');
+
+test($obj);
+test($obj);
+test($obj);
+
+var_dump($obj->prop);
+
+class C {
+	public $name;
+	public function __get($name) {
+		return $this->name;
+	}
+}
+
+$obj = new C;
+
+$obj->name = str_pad("b", 10, 'b');
+
+test($obj);
+test($obj);
+test($obj);
+
+var_dump($obj->prop);
+?>
+--EXPECT--
+string(10) "aaaaaaaaaa"
+string(10) "bbbbbbbbbb"