From fe504d33571f7c21a3529594693460a863dbb5ed Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Mon, 23 Jun 2025 00:05:03 +0200
Subject: [PATCH] Fix leak when creating cycle in hook

This is necessary because the VM frees operands with the nogc variants. We
cannot just call gc_possible_root() because the object may no longer exist at
that point.

Fixes GH-18907
Closes GH-18917
---
 NEWS                        |  1 +
 Zend/tests/gh18907.phpt     | 26 ++++++++++++++++++++++++++
 Zend/zend_object_handlers.c |  2 ++
 3 files changed, 29 insertions(+)
 create mode 100644 Zend/tests/gh18907.phpt

diff --git a/NEWS b/NEWS
index 94eb74cae51..80b805983e8 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,7 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction
     order). (Daniil Gentili)
+  . Fixed bug GH-18907 (Leak when creating cycle in hook). (ilutov)
 
 - Curl:
   . Fix memory leaks when returning refcounted value from curl callback.
diff --git a/Zend/tests/gh18907.phpt b/Zend/tests/gh18907.phpt
new file mode 100644
index 00000000000..1be881fd494
--- /dev/null
+++ b/Zend/tests/gh18907.phpt
@@ -0,0 +1,26 @@
+--TEST--
+GH-18907: Leak when creating cycle inside hook
+--FILE--
+<?php
+
+class Foo {
+    public $prop {
+        get {
+            $this->prop = $this;
+            return 1;
+        }
+    }
+}
+
+function test() {
+    var_dump((new Foo)->prop);
+}
+
+/* Call twice to test the ZEND_IS_PROPERTY_HOOK_SIMPLE_GET() path. */
+test();
+test();
+
+?>
+--EXPECT--
+int(1)
+int(1)
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index 0def95fc852..2ddaeae96e9 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -719,7 +719,9 @@ static bool zend_call_get_hook(
 		return false;
 	}
 
+	GC_ADDREF(zobj);
 	zend_call_known_instance_method_with_0_params(get, zobj, rv);
+	OBJ_RELEASE(zobj);
 
 	return true;
 }