From 971b07ea60172a80ee308e91c7a7912eea8a571f Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Tue, 14 Jun 2022 15:03:50 +0300
Subject: [PATCH] JIT: Fix incorrect reference-counting

This fixes oss-fuzz #47937
---
 ext/opcache/jit/zend_jit_helpers.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ext/opcache/jit/zend_jit_helpers.c b/ext/opcache/jit/zend_jit_helpers.c
index 0f312fb415c..f953d704ca0 100644
--- a/ext/opcache/jit/zend_jit_helpers.c
+++ b/ext/opcache/jit/zend_jit_helpers.c
@@ -811,7 +811,7 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_rw_helper(zend_array *ht, zval *di
 				opline = EX(opline);
 				zend_incompatible_double_to_long_error(Z_DVAL_P(dim));
 				if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && GC_DELREF(ht) != 1) {
-					if (GC_REFCOUNT(ht)) {
+					if (!GC_REFCOUNT(ht)) {
 						zend_array_destroy(ht);
 					}
 					if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
@@ -841,7 +841,7 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_rw_helper(zend_array *ht, zval *di
 			opline = EX(opline);
 			zend_use_resource_as_offset(dim);
 			if (!(GC_FLAGS(ht) & IS_ARRAY_IMMUTABLE) && GC_DELREF(ht) != 1) {
-				if (GC_REFCOUNT(ht)) {
+				if (!GC_REFCOUNT(ht)) {
 					zend_array_destroy(ht);
 				}
 				if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {