From f491dabe403646a751dde52679bc817967477914 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 11 Aug 2020 15:11:36 +0200
Subject: Fix nullsafe operator on reference

Dereference the value before checking the type. As the happy path
necessarily has to check for references, I'm not bothering to
delay the comparison.
---
 Zend/zend_vm_execute.h | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'Zend/zend_vm_execute.h')

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index b9ccb2226c..e564ec3c18 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -4375,6 +4375,9 @@ static ZEND_VM_COLD ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_JMP_NULL_SPEC_CON
 	zval *val;
 
 	val = RT_CONSTANT(opline, opline->op1);
+	if (IS_CONST != IS_CONST) {
+		ZVAL_DEREF(val);
+	}
 
 	if (Z_TYPE_INFO_P(val) > IS_NULL) {
 		ZEND_VM_NEXT_OPCODE();
@@ -11095,6 +11098,9 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_JMP_NULL_SPEC_TMPV
 	zval *val;
 
 	val = EX_VAR(opline->op1.var);
+	if ((IS_TMP_VAR|IS_VAR|IS_CV) != IS_CONST) {
+		ZVAL_DEREF(val);
+	}
 
 	if (Z_TYPE_INFO_P(val) > IS_NULL) {
 		ZEND_VM_NEXT_OPCODE();
-- 
cgit v1.2.1