diff --git a/Zend/tests/bug75241.phpt b/Zend/tests/bug75241.phpt
new file mode 100644
index 00000000000..1751bbee767
--- /dev/null
+++ b/Zend/tests/bug75241.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #75241 (Null pointer dereference in zend_mm_alloc_small())
+--FILE--
+<?php
+function eh(){}
+
+set_error_handler('eh');
+
+$d->d = &$d + $d->d/=0;
+var_dump($d);
+?>
+--EXPECT--
+float(INF)
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index 418d2f03ea1..8faf6924cfb 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -222,8 +222,10 @@ ZEND_API void ZEND_FASTCALL convert_scalar_to_number(zval *op) /* {{{ */
 					if (Z_TYPE(holder) == IS_LONG) {				\
 						if (op == result) {							\
 							zval_ptr_dtor(op);						\
+							ZVAL_LONG(op, Z_LVAL(holder));			\
+						} else {									\
+							(op) = &(holder);						\
 						}											\
-						(op) = &(holder);							\
 					}												\
 					break;											\
 			}														\
diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
index 52138561bc8..c7ac6cecd0b 100644
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -733,7 +733,7 @@ SPL_METHOD(SplDoublyLinkedList, setIteratorMode)
 		return;
 	}
 
-	intern->flags = value & SPL_DLLIST_IT_MASK | intern->flags & SPL_DLLIST_IT_FIX;
+	intern->flags = (value & SPL_DLLIST_IT_MASK) | (intern->flags & SPL_DLLIST_IT_FIX);
 
 	RETURN_LONG(intern->flags);
 }