From 819064a4960d400912fee6ef7d54557e26e00917 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Mon, 23 Jun 2025 00:05:03 +0200
Subject: [PATCH] Fix leak when creating cycle in hook

This is necessary because the VM frees operands with the nogc variants. We
cannot just call gc_possible_root() because the object may no longer exist at
that point.

Fixes GH-18907
---
 Zend/tests/gh18907.phpt     | 26 ++++++++++++++++++++++++++
 Zend/zend_object_handlers.c |  2 ++
 2 files changed, 28 insertions(+)
 create mode 100644 Zend/tests/gh18907.phpt

diff --git a/Zend/tests/gh18907.phpt b/Zend/tests/gh18907.phpt
new file mode 100644
index 0000000000000..1be881fd4941b
--- /dev/null
+++ b/Zend/tests/gh18907.phpt
@@ -0,0 +1,26 @@
+--TEST--
+GH-18907: Leak when creating cycle inside hook
+--FILE--
+<?php
+
+class Foo {
+    public $prop {
+        get {
+            $this->prop = $this;
+            return 1;
+        }
+    }
+}
+
+function test() {
+    var_dump((new Foo)->prop);
+}
+
+/* Call twice to test the ZEND_IS_PROPERTY_HOOK_SIMPLE_GET() path. */
+test();
+test();
+
+?>
+--EXPECT--
+int(1)
+int(1)
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index 0def95fc85227..2ddaeae96e999 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -719,7 +719,9 @@ static bool zend_call_get_hook(
 		return false;
 	}
 
+	GC_ADDREF(zobj);
 	zend_call_known_instance_method_with_0_params(get, zobj, rv);
+	OBJ_RELEASE(zobj);
 
 	return true;
 }