From cdb7aafc23bd1fd396305df9cddca1717b58f2b3 Mon Sep 17 00:00:00 2001
From: Tyson Andre <tysonandre775@hotmail.com>
Date: Sun, 20 Nov 2016 15:18:32 -0800
Subject: [PATCH 1/2] Fix memory leak(null coalescing operator with Spl hash)

The SEPARATE_ARG_IF_REF macro increased the refcount of the object passed as a
key.
However, when the key did not exist in the ArrayAccess implementation,
the code returned early without trying to decrement the refcount.

Add a test of `??` succeeding+failing on a SplObjectStorage instance.
---
 Zend/zend_object_handlers.c     |  2 ++
 ext/spl/tests/observer_010.phpt | 15 +++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 ext/spl/tests/observer_010.phpt

diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index 70dab660b3c..af92d674960 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -736,9 +736,11 @@ zval *zend_std_read_dimension(zval *object, zval *offset, int type, zval *rv) /*
 		if (type == BP_VAR_IS) {
 			zend_call_method_with_1_params(object, ce, NULL, "offsetexists", rv, offset);
 			if (UNEXPECTED(Z_ISUNDEF_P(rv))) {
+				zval_ptr_dtor(offset);
 				return NULL;
 			}
 			if (!i_zend_is_true(rv)) {
+				zval_ptr_dtor(offset);
 				zval_ptr_dtor(rv);
 				return &EG(uninitialized_zval);
 			}
diff --git a/ext/spl/tests/observer_010.phpt b/ext/spl/tests/observer_010.phpt
new file mode 100644
index 00000000000..5cedff8c7cb
--- /dev/null
+++ b/ext/spl/tests/observer_010.phpt
@@ -0,0 +1,15 @@
+--TEST--
+SPL: SplObjectStorage null coalescing operator memory leak
+--FILE--
+<?php
+// In maintainer zts mode, this should no longer
+// detect memory leaks for the objects
+$a = new stdClass();
+$b = new stdClass();
+$map = new SplObjectStorage();
+$map[$a] = 'foo';
+var_dump($map[$b] ?? null);
+var_dump($map[$a] ?? null);
+--EXPECTF--
+NULL
+string(3) "foo"

From a39d2f8ea1e41a7e8b81c8b14c5faa9fd8bab179 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Mon, 21 Nov 2016 11:45:49 +0800
Subject: [PATCH 2/2] Update NEWS

---
 NEWS | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index eeb9f58ad38..535208d4d9c 100644
--- a/NEWS
+++ b/NEWS
@@ -2,13 +2,14 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2016 PHP 7.0.14
 
-- Calendar:
-  . Fix integer overflows (Joshua Rogers)
-
 - Core:
+  . Fixed memory leak(null coalescing operator with Spl hash). (Tyson Andre)
   . Fixded bug #72736 (Slow performance when fetching large dataset with mysqli
     / PDO). (Dmitry)
 
+- Calendar:
+  . Fix integer overflows (Joshua Rogers)
+
 - Date:
   . Fixed bug #69587 (DateInterval properties and isset). (jhdxr)