From 64adaaeb1634f9514964a581e2b98cc6e755b669 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 31 Jul 2020 09:12:22 +0200
Subject: [PATCH] Fix #79919: Stack use-after-scope in define

Instead of the temporary `rv`, we use the `val_free` which is there for
this purpose.
---
 Zend/tests/bug79919.phpt      | 15 +++++++++++++++
 Zend/zend_builtin_functions.c |  4 +---
 2 files changed, 16 insertions(+), 3 deletions(-)
 create mode 100644 Zend/tests/bug79919.phpt

diff --git a/Zend/tests/bug79919.phpt b/Zend/tests/bug79919.phpt
new file mode 100644
index 0000000000000..23fa0859b1e97
--- /dev/null
+++ b/Zend/tests/bug79919.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #79919 (Stack use-after-scope in define)
+--SKIPIF--
+<?php
+if (PHP_OS_FAMILY === 'Windows') die('skip need ASan instrumentation');
+if (!extension_loaded('simplexml')) die('skip simplexml extension not available');
+?>
+--FILE--
+<?php
+$b = error_log(0);
+$b = simplexml_load_string('<xml/>', null, $b);
+define(0, $b);
+?>
+--EXPECT--
+0
diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
index bc3649a622292..468a7c3446aa6 100644
--- a/Zend/zend_builtin_functions.c
+++ b/Zend/zend_builtin_functions.c
@@ -882,9 +882,7 @@ ZEND_FUNCTION(define)
 		case IS_OBJECT:
 			if (Z_TYPE(val_free) == IS_UNDEF) {
 				if (Z_OBJ_HT_P(val)->get) {
-					zval rv;
-					val = Z_OBJ_HT_P(val)->get(val, &rv);
-					ZVAL_COPY_VALUE(&val_free, val);
+					val = Z_OBJ_HT_P(val)->get(val, &val_free);
 					goto repeat;
 				} else if (Z_OBJ_HT_P(val)->cast_object) {
 					if (Z_OBJ_HT_P(val)->cast_object(val, &val_free, IS_STRING) == SUCCESS) {