From af92365239fccda0c20c37e0ae9583ad2a11f3cc Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Sun, 12 Feb 2012 05:32:24 +0000
Subject: [PATCH] Improved fix for #61058, and add test script

---
 ext/standard/array.c                   | 13 +++++++------
 ext/standard/tests/array/bug61058.phpt |  8 ++++++++
 2 files changed, 15 insertions(+), 6 deletions(-)
 create mode 100644 ext/standard/tests/array/bug61058.phpt

diff --git a/ext/standard/array.c b/ext/standard/array.c
index bd7d125eba4..7af2f44b605 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -1563,15 +1563,16 @@ PHP_FUNCTION(array_fill)
 	array_init_size(return_value, num);
 
 	num--;
+	zend_hash_index_update(Z_ARRVAL_P(return_value), start_key, &val, sizeof(zval *), NULL);
 	zval_add_ref(&val);
-	if (zend_hash_index_update(Z_ARRVAL_P(return_value), start_key, &val, sizeof(zval *), NULL) == FAILURE) {
-		zval_ptr_dtor(&val);
-	}
 
 	while (num--) {
-		zval_add_ref(&val);
-		if (zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &val, sizeof(zval *), NULL) == FAILURE) {
-			zval_ptr_dtor(&val);
+		if (zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &val, sizeof(zval *), NULL) == SUCCESS) {
+			zval_add_ref(&val);
+		} else {
+			zval_dtor(return_value);
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot add element to the array as the next element is already occupied");
+			RETURN_FALSE;
 		}
 	}
 }
diff --git a/ext/standard/tests/array/bug61058.phpt b/ext/standard/tests/array/bug61058.phpt
new file mode 100644
index 00000000000..1f0f6fe630d
--- /dev/null
+++ b/ext/standard/tests/array/bug61058.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Bug #61058 (array_fill leaks if start index is PHP_INT_MAX)
+--FILE--
+<?php 
+array_fill(PHP_INT_MAX, 2, '*');
+?>
+--EXPECTF--
+Warning: array_fill(): Cannot add element to the array as the next element is already occupied in %sbug61058.php on line %d