From c578917e306b452493fed4a0aa2ecbd3a8c3f252 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Sun, 12 Feb 2012 04:59:08 +0000
Subject: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

---
 ext/standard/array.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'ext/standard/array.c')

diff --git a/ext/standard/array.c b/ext/standard/array.c
index 060d665195..3ca1a69a5e 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -1558,11 +1558,15 @@ PHP_FUNCTION(array_fill)
 
 	num--;
 	zval_add_ref(&val);
-	zend_hash_index_update(Z_ARRVAL_P(return_value), start_key, &val, sizeof(zval *), NULL);
+	if (zend_hash_index_update(Z_ARRVAL_P(return_value), start_key, &val, sizeof(zval *), NULL) == FAILURE) {
+		zval_ptr_dtor(&val);
+	}
 
 	while (num--) {
 		zval_add_ref(&val);
-		zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &val, sizeof(zval *), NULL);
+		if (zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &val, sizeof(zval *), NULL) == FAILURE) {
+			zval_ptr_dtor(&val);
+		}
 	}
 }
 /* }}} */
-- 
cgit v1.2.1