From b05ff14a9aa8fd98eea9cbeb090f9d64bf302561 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Sun, 24 Sep 2017 17:24:11 +0800
Subject: [PATCH] Fixed bug #75241 (Null pointer dereference in
 zend_mm_alloc_small()).

---
 NEWS                     |  2 ++
 Zend/tests/bug75241.phpt | 13 +++++++++++++
 Zend/zend_operators.c    |  4 +++-
 3 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/bug75241.phpt

diff --git a/NEWS b/NEWS
index f1cc520650b..37520dc7d30 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2017 PHP 7.0.25
 
 - Core:
+  . Fixed bug #75241 (Null pointer dereference in zend_mm_alloc_small()).
+    (Laruence)
   . Fixed bug #75236 (infinite loop when printing an error-message). (Andrea)
   . Fixed bug #75252 (Incorrect token formatting on two parse errors in one
     request). (Nikita)
diff --git a/Zend/tests/bug75241.phpt b/Zend/tests/bug75241.phpt
new file mode 100644
index 00000000000..1751bbee767
--- /dev/null
+++ b/Zend/tests/bug75241.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #75241 (Null pointer dereference in zend_mm_alloc_small())
+--FILE--
+<?php
+function eh(){}
+
+set_error_handler('eh');
+
+$d->d = &$d + $d->d/=0;
+var_dump($d);
+?>
+--EXPECT--
+float(INF)
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index 3a8929b83f9..d87dba919b7 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -221,8 +221,10 @@ try_again:
 					if (Z_TYPE(holder) == IS_LONG) {				\
 						if (op == result) {							\
 							zval_ptr_dtor(op);						\
+							ZVAL_LONG(op, Z_LVAL(holder));			\
+						} else {									\
+							(op) = &(holder);						\
 						}											\
-						(op) = &(holder);							\
 					}												\
 					break;											\
 			}														\