Fix use-after-free when trying to write to closure property

2 files changed, 23 insertions, 1 deletions

diff --git a/Zend/tests/closure_write_prop.phpt b/Zend/tests/closure_write_prop.phpt
new file mode 100644
index 0000000000..38bebf4e1b
--- /dev/null
+++ b/Zend/tests/closure_write_prop.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Cannot write to closure properties
+--FILE--
+<?php
+
+class A {
+    function getFn() {
+        return function() {
+        };
+    }
+}
+
+$a = new A;
+try {
+    $c = $a->getFn()->b = new stdClass;
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Closure object cannot have properties
diff --git a/Zend/zend_closures.c b/Zend/zend_closures.c
index 697fd69fd6..92f1398d84 100644
--- a/Zend/zend_closures.c
+++ b/Zend/zend_closures.c
@@ -435,7 +435,7 @@ static ZEND_COLD zval *zend_closure_read_property(zval *object, zval *member, in
 static ZEND_COLD zval *zend_closure_write_property(zval *object, zval *member, zval *value, void **cache_slot) /* {{{ */
 {
 	ZEND_CLOSURE_PROPERTY_ERROR();
-	return value;
+	return &EG(error_zval);
 }
 /* }}} */