3 files changed, 28 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index bacfa367ed..0c4220de44 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,8 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug #60022 ("use statement [...] has no effect" depends on leading
     backslash). (Nikita)
+  . Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer).
+    (Dmitry)
   . Fixed bug #68652 (segmentation fault in destructor). (Dmitry)
 
 - ODBC:
diff --git a/Zend/tests/bug67314.phpt b/Zend/tests/bug67314.phpt
new file mode 100644
index 0000000000..c5b6a1293d
--- /dev/null
+++ b/Zend/tests/bug67314.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #67314 (Segmentation fault in gc_remove_zval_from_buffer)
+--FILE--
+<?php
+function crash()
+{
+    $notDefined[$i] = 'test';
+}
+
+function error_handler() { return false; }
+
+set_error_handler('error_handler');
+crash();
+echo "made it once\n";
+crash();
+echo "ok\n";
+--EXPECTF--
+Notice: Undefined variable: i in %sbug67314.php on line 4
+made it once
+
+Notice: Undefined variable: i in %sbug67314.php on line 4
+ok
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index aeced8fb41..a230b9c270 100644
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -1585,6 +1585,10 @@ ZEND_API void zend_rebuild_symbol_table(TSRMLS_D) /* {{{ */
 			ex->symbol_table = EG(active_symbol_table);
 			for (i = 0; i < ex->op_array->last_var; i++) {
 				if (*EX_CV_NUM(ex, i)) {
+					if (UNEXPECTED(**EX_CV_NUM(ex, i) == &EG(uninitialized_zval))) {
+						Z_DELREF(EG(uninitialized_zval));
+						ALLOC_INIT_ZVAL(**EX_CV_NUM(ex, i));
+					}
 					zend_hash_quick_update(EG(active_symbol_table),
 						ex->op_array->vars[i].name,
 						ex->op_array->vars[i].name_len + 1,