Fixed bug #76068 parse_ini_string fails to parse "[foo]\nbar=1|>baz" with segfault

Zend/zend_ini_parser.y

@@ -57,11 +57,19 @@ static void zend_ini_do_op(char type, zval *result, zval *op1, zval *op2)
 	int str_len;
 	char str_result[MAX_LENGTH_OF_LONG+1];
 
-	i_op1 = atoi(Z_STRVAL_P(op1));
-	zend_string_free(Z_STR_P(op1));
+	if (IS_LONG == Z_TYPE_P(op1)) {
+		i_op1 = Z_LVAL_P(op1);
+	} else {
+		i_op1 = atoi(Z_STRVAL_P(op1));
+		zend_string_free(Z_STR_P(op1));
+	}
 	if (op2) {
-		i_op2 = atoi(Z_STRVAL_P(op2));
-		zend_string_free(Z_STR_P(op2));
+		if (IS_LONG == Z_TYPE_P(op2)) {
+			i_op2 = Z_LVAL_P(op2);
+		} else {
+			i_op2 = atoi(Z_STRVAL_P(op2));
+			zend_string_free(Z_STR_P(op2));
+		}
 	} else {
 		i_op2 = 0;
 	}

ext/standard/tests/general_functions/parse_ini_string_bug76068.phpt

@@ -0,0 +1,49 @@
+--TEST--
+Bug #76068 parse_ini_string fails to parse "[foo]\nbar=1|>baz" with segfault
+--FILE--
+<?php
+
+$s = parse_ini_string("[foo]\nbar=1|>baz",true, \INI_SCANNER_TYPED);
+var_dump($s);
+
+$s = parse_ini_string("[foo]\nbar=\"1|>baz\"",true, \INI_SCANNER_TYPED);
+var_dump($s);
+
+$s = parse_ini_string("[foo]\nbar=1",true, \INI_SCANNER_TYPED);
+var_dump($s);
+
+$s = parse_ini_string("[foo]\nbar=42|>baz",true, \INI_SCANNER_TYPED);
+var_dump($s);
+
+?>
+==DONE==
+--EXPECT--
+array(1) {
+  ["foo"]=>
+  array(1) {
+    ["bar"]=>
+    string(1) "1"
+  }
+}
+array(1) {
+  ["foo"]=>
+  array(1) {
+    ["bar"]=>
+    string(6) "1|>baz"
+  }
+}
+array(1) {
+  ["foo"]=>
+  array(1) {
+    ["bar"]=>
+    int(1)
+  }
+}
+array(1) {
+  ["foo"]=>
+  array(1) {
+    ["bar"]=>
+    string(2) "42"
+  }
+}
+==DONE==