Release call trampolines in zpp fcc

When using zpp 'f' or Z_PARAM_FUNC, if the fcc points to a call trampoline release it immediately and force zend_call_function to refetch it. This may require additional callability checks if __call is used, but avoids the need to carefully free fcc values in all internal functions -- in some cases this is not simple, as a type error might be triggered by a later argument in the same zpp call. This fixes oss-fuzz #25390. Closes GH-6073.
author: Nikita Popov <nikita.ppv@gmail.com> 2020-09-04 09:41:27 +0200
committer: Nikita Popov <nikita.ppv@gmail.com> 2020-09-04 14:23:14 +0200
commit: 2e218180efebeac4fe0fe3f36e39fce8fc513468 (patch)
tree: 75d028ac345289ff3a0211c146419c50492372c1 /Zend/zend_API.h
parent: c0d6b05b686767fcf6a858d5c039bee764655590 (diff)
download: php-git-2e218180efebeac4fe0fe3f36e39fce8fc513468.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/Zend/zend_API.h b/Zend/zend_API.h
index a81a43f231..72cd3856ae 100644
--- a/Zend/zend_API.h
+++ b/Zend/zend_API.h
@@ -2004,6 +2004,10 @@ static zend_always_inline bool zend_parse_arg_func(zval *arg, zend_fcall_info *d
 	} else if (UNEXPECTED(zend_fcall_info_init(arg, 0, dest_fci, dest_fcc, NULL, error) != SUCCESS)) {
 		return 0;
 	}
+	/* Release call trampolines: The function may not get called, in which case
+	 * the trampoline will leak. Force it to be refetched during
+	 * zend_call_function instead. */
+	zend_release_fcall_info_cache(dest_fcc);
 	return 1;
 }
author	Nikita Popov <nikita.ppv@gmail.com>	2020-09-04 09:41:27 +0200
committer	Nikita Popov <nikita.ppv@gmail.com>	2020-09-04 14:23:14 +0200
commit	2e218180efebeac4fe0fe3f36e39fce8fc513468 (patch)
tree	75d028ac345289ff3a0211c146419c50492372c1 /Zend/zend_API.h
parent	c0d6b05b686767fcf6a858d5c039bee764655590 (diff)
download	php-git-2e218180efebeac4fe0fe3f36e39fce8fc513468.tar.gz