From d23005ae15498d00616cd036b85871889b11c52b Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 10 Mar 2020 16:12:53 +0100
Subject: [PATCH] Fix #79364: When copy empty array, next key is unspecified

We must not forget to keep the `nNextFreeElement` when duplicating
empty arrays.
---
 Zend/tests/bug79364.phpt | 22 ++++++++++++++++++++++
 Zend/zend_hash.c         |  2 +-
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/bug79364.phpt

diff --git a/Zend/tests/bug79364.phpt b/Zend/tests/bug79364.phpt
new file mode 100644
index 0000000000000..6d96b4d7935d5
--- /dev/null
+++ b/Zend/tests/bug79364.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #79364 (When copy empty array, next key is unspecified)
+--FILE--
+<?php
+$a = [1, 2];
+unset($a[1], $a[0]);
+$b = $a;
+
+$a[] = 3;
+$b[] = 4;
+
+var_dump($a, $b);
+?>
+--EXPECT--
+array(1) {
+  [2]=>
+  int(3)
+}
+array(1) {
+  [2]=>
+  int(4)
+}
diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c
index 8c0bce5b411ff..6fc4666da9ae2 100644
--- a/Zend/zend_hash.c
+++ b/Zend/zend_hash.c
@@ -1934,7 +1934,7 @@ ZEND_API HashTable* ZEND_FASTCALL zend_array_dup(HashTable *source)
 		target->nTableMask = HT_MIN_MASK;
 		target->nNumUsed = 0;
 		target->nNumOfElements = 0;
-		target->nNextFreeElement = 0;
+		target->nNextFreeElement = source->nNextFreeElement;
 		target->nInternalPointer = 0;
 		HT_SET_DATA_ADDR(target, &uninitialized_bucket);
 	} else if (GC_FLAGS(source) & IS_ARRAY_IMMUTABLE) {