From 38626dbaadde4add3ace960345ef24b6f4ac7bbb Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Wed, 20 Oct 2021 10:38:47 +0300
Subject: [PATCH] JIT: Fixed memory leak

---
 ext/opcache/jit/zend_jit_x86.dasc          |  5 ++++-
 ext/opcache/tests/jit/fetch_dim_w_001.phpt | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 ext/opcache/tests/jit/fetch_dim_w_001.phpt

diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
index 8519e159a28..6fa44ded0d4 100644
--- a/ext/opcache/jit/zend_jit_x86.dasc
+++ b/ext/opcache/jit/zend_jit_x86.dasc
@@ -5364,6 +5364,7 @@ static int zend_jit_fetch_dimension_address_inner(dasm_State **Dst, const zend_o
 	if (op2_info & MAY_BE_LONG) {
 		zend_bool op2_loaded = 0;
 		zend_bool packed_loaded = 0;
+		zend_bool bad_packed_key = 0;
 
 		if (op2_info & ((MAY_BE_ANY|MAY_BE_UNDEF) - MAY_BE_LONG)) {
 			|	// if (EXPECTED(Z_TYPE_P(dim) == IS_LONG))
@@ -5396,6 +5397,8 @@ static int zend_jit_fetch_dimension_address_inner(dasm_State **Dst, const zend_o
 				val = Z_LVAL_P(Z_ZV(op2_addr));
 				if (val >= 0 && val < HT_MAX_SIZE) {
 					packed_loaded = 1;
+				} else {
+					bad_packed_key = 1;
 				}
 			} else {
 				if (!op2_loaded) {
@@ -5594,7 +5597,7 @@ static int zend_jit_fetch_dimension_address_inner(dasm_State **Dst, const zend_o
 				if (packed_loaded) {
 					|	IF_NOT_Z_TYPE r0, IS_UNDEF, >8
 				}
-				if (!(op1_info & MAY_BE_ARRAY_KEY_LONG) || packed_loaded) {
+				if (!(op1_info & MAY_BE_ARRAY_KEY_LONG) || packed_loaded || bad_packed_key) {
 					|2:
 					|	//retval = zend_hash_index_add_new(ht, hval, &EG(uninitialized_zval));
 					if (!op2_loaded) {
diff --git a/ext/opcache/tests/jit/fetch_dim_w_001.phpt b/ext/opcache/tests/jit/fetch_dim_w_001.phpt
new file mode 100644
index 00000000000..a501e703aac
--- /dev/null
+++ b/ext/opcache/tests/jit/fetch_dim_w_001.phpt
@@ -0,0 +1,18 @@
+--TEST--
+JIT FETCH_DIM_W: 001
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+function &foo() {
+    $a = array(1);
+    return $a[-1];
+}
+
+var_dump(foo());
+?>
+--EXPECT--
+NULL