Fix UAF in is_callable() and allocated trampoline

By nulling out the function_handler, so it will not get used below. Reuse the existing helper for this purpose.
author: Nikita Popov <nikita.ppv@gmail.com> 2020-01-30 11:01:13 +0100
committer: Nikita Popov <nikita.ppv@gmail.com> 2020-01-30 11:04:59 +0100
commit: 429f194f406e8d8255a12af210aa4bde3f9e1433 (patch)
tree: 3c9dbab878f51c77c7728174eeebf1010d42fc17 /Zend/zend_API.c
parent: 43465768f1aba95afd1ea5a0ac40af2cb440d1e4 (diff)
download: php-git-429f194f406e8d8255a12af210aa4bde3f9e1433.tar.gz
1 files changed, 1 insertions, 7 deletions
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index 4511368bea..b7af44a32a 100644
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -3154,13 +3154,7 @@ get_function_via_handler:
 					if (strict_class &&
 					    (!fcc->function_handler->common.scope ||
 					     !instanceof_function(ce_org, fcc->function_handler->common.scope))) {
-						if (fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) {
-							if (fcc->function_handler->type != ZEND_OVERLOADED_FUNCTION &&
-								fcc->function_handler->common.function_name) {
-								zend_string_release_ex(fcc->function_handler->common.function_name, 0);
-							}
-							zend_free_trampoline(fcc->function_handler);
-						}
+						zend_release_fcall_info_cache(fcc);
 					} else {
 						retval = 1;
 						call_via_handler = (fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) != 0;
author	Nikita Popov <nikita.ppv@gmail.com>	2020-01-30 11:01:13 +0100
committer	Nikita Popov <nikita.ppv@gmail.com>	2020-01-30 11:04:59 +0100
commit	429f194f406e8d8255a12af210aa4bde3f9e1433 (patch)
tree	3c9dbab878f51c77c7728174eeebf1010d42fc17 /Zend/zend_API.c
parent	43465768f1aba95afd1ea5a0ac40af2cb440d1e4 (diff)
download	php-git-429f194f406e8d8255a12af210aa4bde3f9e1433.tar.gz