From d36230fcaba46cc5b3ad54ced9337eee404c6b1b Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 4 Sep 2018 08:08:39 +0200
Subject: [PATCH] Fix incorrect literal freeing if pass_two generates fatal
 error

---
 Zend/zend_opcode.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Zend/zend_opcode.c b/Zend/zend_opcode.c
index 6bed3c7b59d..1e82dc7bf5b 100644
--- a/Zend/zend_opcode.c
+++ b/Zend/zend_opcode.c
@@ -546,6 +546,10 @@ ZEND_API int pass_two(zend_op_array *op_array)
 	CG(context).literals_size = op_array->last_literal;
 #endif
 
+	/* Needs to be set directly after the opcode/literal reallocation, to ensure destruction
+	 * happens correctly if any of the following fixups generate a fatal error. */
+	op_array->fn_flags |= ZEND_ACC_DONE_PASS_TWO;
+
 	opline = op_array->opcodes;
 	end = opline + op_array->last;
 	while (opline < end) {
@@ -674,7 +678,6 @@ ZEND_API int pass_two(zend_op_array *op_array)
 		}
 	}
 
-	op_array->fn_flags |= ZEND_ACC_DONE_PASS_TWO;
 	return 0;
 }