From ae3ab37816d741f632cb5560b3c3397b28a9fd0a Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sun, 12 Jan 2025 15:09:25 +0100
Subject: [PATCH] Fix GH-17447: Assertion failure when array popping a self
 addressing variable

This is the same bug as GH-16957, and fixed in the same way.

Closes GH-17448.
---
 NEWS                                  |  4 ++++
 ext/standard/array.c                  | 10 ++++++++--
 ext/standard/tests/array/gh17447.phpt | 12 ++++++++++++
 3 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 ext/standard/tests/array/gh17447.phpt

diff --git a/NEWS b/NEWS
index 10196b5cc9f7c..b8e3c64d00742 100644
--- a/NEWS
+++ b/NEWS
@@ -69,6 +69,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-15833 (Segmentation fault (access null pointer) in
     ext/spl/spl_array.c). (nielsdos)
 
+- Standard:
+  . Fixed bug GH-17447 (Assertion failure when array popping a self addressing
+    variable). (nielsdos)
+
 - Windows:
   . Fixed clang compiler detection. (cmb)
 
diff --git a/ext/standard/array.c b/ext/standard/array.c
index d95ea012ad6bc..6bfc0dc9c0403 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -3564,7 +3564,8 @@ PHP_FUNCTION(array_pop)
 				break;
 			}
 		}
-		RETVAL_COPY_DEREF(val);
+		RETVAL_COPY_VALUE(val);
+		ZVAL_UNDEF(val);
 
 		if (idx == (Z_ARRVAL_P(stack)->nNextFreeElement - 1)) {
 			Z_ARRVAL_P(stack)->nNextFreeElement = Z_ARRVAL_P(stack)->nNextFreeElement - 1;
@@ -3588,7 +3589,8 @@ PHP_FUNCTION(array_pop)
 				break;
 			}
 		}
-		RETVAL_COPY_DEREF(val);
+		RETVAL_COPY_VALUE(val);
+		ZVAL_UNDEF(val);
 
 		if (!p->key && (zend_long)p->h == (Z_ARRVAL_P(stack)->nNextFreeElement - 1)) {
 			Z_ARRVAL_P(stack)->nNextFreeElement = Z_ARRVAL_P(stack)->nNextFreeElement - 1;
@@ -3598,6 +3600,10 @@ PHP_FUNCTION(array_pop)
 		zend_hash_del_bucket(Z_ARRVAL_P(stack), p);
 	}
 	zend_hash_internal_pointer_reset(Z_ARRVAL_P(stack));
+
+	if (Z_ISREF_P(return_value)) {
+		zend_unwrap_reference(return_value);
+	}
 }
 /* }}} */
 
diff --git a/ext/standard/tests/array/gh17447.phpt b/ext/standard/tests/array/gh17447.phpt
new file mode 100644
index 0000000000000..e107efbd17bfa
--- /dev/null
+++ b/ext/standard/tests/array/gh17447.phpt
@@ -0,0 +1,12 @@
+--TEST--
+GH-17447 (Assertion failure when array poping a self addressing variable)
+--FILE--
+<?php
+$input[] = &$input;
+var_dump(array_pop($input), $input);
+?>
+--EXPECT--
+array(0) {
+}
+array(0) {
+}