Fix bug #72854

3 files changed, 22 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index f58aa0b860..d17a9365a4 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ PHP                                                                        NEWS
   . Fixed bug #72813 (Segfault with __get returned by ref). (Laruence)
   . Fixed bug #72767 (PHP Segfaults when trying to expand an infinite operator).
     (Nikita)
+  . Fixed bug #72854 (PHP Crashes on duplicate destructor call). (Nikita)
 
 - FTP:
   . Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with
diff --git a/Zend/tests/bug72854.phpt b/Zend/tests/bug72854.phpt
new file mode 100644
index 0000000000..74139c7ebc
--- /dev/null
+++ b/Zend/tests/bug72854.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #72854: PHP Crashes on duplicate destructor call
+--FILE--
+<?php
+
+function get() {
+    $t = new stdClass;
+    $t->prop = $t;
+    return $t;
+}
+
+$i = 42;
+get()->prop =& $i;
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 1012b3cc4f..a2ef9c3f4d 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -576,6 +576,7 @@ static inline zval *_get_obj_zval_ptr_ptr(int op_type, znode_op node, zend_execu
 static inline void zend_assign_to_variable_reference(zval *variable_ptr, zval *value_ptr)
 {
 	zend_reference *ref;
+	zval garbage;
 
 	if (EXPECTED(!Z_ISREF_P(value_ptr))) {
 		ZVAL_NEW_REF(value_ptr, value_ptr);
@@ -585,8 +586,9 @@ static inline void zend_assign_to_variable_reference(zval *variable_ptr, zval *v
 
 	ref = Z_REF_P(value_ptr);
 	GC_REFCOUNT(ref)++;
-	zval_ptr_dtor(variable_ptr);
+	ZVAL_COPY_VALUE(&garbage, variable_ptr);
 	ZVAL_REF(variable_ptr, ref);
+	zval_ptr_dtor(&garbage);
 }
 
 /* this should modify object only if it's empty */