From ab938d7bbc3c738337e3c76c2a9c2f676e4fb16e Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 26 Sep 2019 13:45:45 +0200
Subject: [PATCH] Fix memory leak with ** on array operands

---
 Zend/tests/pow_array_leak.phpt | 17 +++++++++++++++++
 Zend/zend_operators.c          |  9 +++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 Zend/tests/pow_array_leak.phpt

diff --git a/Zend/tests/pow_array_leak.phpt b/Zend/tests/pow_array_leak.phpt
new file mode 100644
index 00000000000..e9165bbbc56
--- /dev/null
+++ b/Zend/tests/pow_array_leak.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Memory leak on ** with result==op1 array
+--FILE--
+<?php
+
+$x = [0];
+$x **= 1;
+var_dump($x);
+
+$x = [0];
+$x **= $x;
+var_dump($x);
+
+?>
+--EXPECT--
+int(0)
+int(0)
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index 7f1e426e83c..584d5d89102 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -1128,12 +1128,18 @@ ZEND_API int ZEND_FASTCALL pow_function(zval *result, zval *op1, zval *op2) /* {
 
 					if (EXPECTED(op1 != op2)) {
 						if (Z_TYPE_P(op1) == IS_ARRAY) {
+							if (op1 == result) {
+								zval_ptr_dtor(result);
+							}
 							ZVAL_LONG(result, 0);
 							return SUCCESS;
 						} else {
 							zendi_convert_scalar_to_number(op1, op1_copy, result, 0);
 						}
 						if (Z_TYPE_P(op2) == IS_ARRAY) {
+							if (op1 == result) {
+								zval_ptr_dtor(result);
+							}
 							ZVAL_LONG(result, 1L);
 							return SUCCESS;
 						} else {
@@ -1141,6 +1147,9 @@ ZEND_API int ZEND_FASTCALL pow_function(zval *result, zval *op1, zval *op2) /* {
 						}
 					} else {
 						if (Z_TYPE_P(op1) == IS_ARRAY) {
+							if (op1 == result) {
+								zval_ptr_dtor(result);
+							}
 							ZVAL_LONG(result, 0);
 							return SUCCESS;
 						} else {