From abe3673d1fd09a35c25b4da6248f7e8c106aa37e Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Mon, 30 Oct 2023 23:36:12 +0300
Subject: [PATCH] Fix memory leak after GC inside a foreach loop (#12572)

Fixes oss-fuzz #54515
---
 Zend/tests/gc_047.phpt | 20 ++++++++++++++++++++
 Zend/zend_gc.c         |  2 +-
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/gc_047.phpt

diff --git a/Zend/tests/gc_047.phpt b/Zend/tests/gc_047.phpt
new file mode 100644
index 00000000000..08403d1e99b
--- /dev/null
+++ b/Zend/tests/gc_047.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GC 047: Leak after GC inside a foreach loop
+--INI--
+zend.enable_gc=1
+--FILE--
+<?php
+$a = [0, 1];
+foreach($a as &$v) {
+    $a[0] =& $a;
+    $a[1] = array();
+    $a[1][0] =& $a[1];
+    $b = 1;
+    $a =& $b;
+    gc_collect_cycles();
+    break;
+}
+var_dump(gc_collect_cycles());
+?>
+--EXPECT--
+int(2)
diff --git a/Zend/zend_gc.c b/Zend/zend_gc.c
index f062747eaeb..c9034ba5e34 100644
--- a/Zend/zend_gc.c
+++ b/Zend/zend_gc.c
@@ -1696,7 +1696,7 @@ static void zend_gc_root_tmpvars(void) {
 			}
 
 			uint32_t kind = range->var & ZEND_LIVE_MASK;
-			if (kind == ZEND_LIVE_TMPVAR) {
+			if (kind == ZEND_LIVE_TMPVAR || kind == ZEND_LIVE_LOOP) {
 				uint32_t var_num = range->var & ~ZEND_LIVE_MASK;
 				zval *var = ZEND_CALL_VAR(ex, var_num);
 				if (Z_REFCOUNTED_P(var)) {