Fix trampoline leak on dynamic static call of non-static method

Fixes oss-fuzz #30317.
author: Nikita Popov <nikita.ppv@gmail.com> 2021-02-22 10:32:28 +0100
committer: Nikita Popov <nikita.ppv@gmail.com> 2021-02-22 10:32:59 +0100
commit: ab989441957956522c1663f1a0662067afbfdb6c (patch)
tree: 87be3019fe5ca3bd1fb1e96c00e751a5ffb4eaf9 /Zend/zend_execute.c
parent: ed4f90f0c7ba205defcbdd0079b14d883354eaa2 (diff)
download: php-git-ab989441957956522c1663f1a0662067afbfdb6c.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index edf6c61794..f6b2a6f9be 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -4005,6 +4005,10 @@ static zend_never_inline zend_execute_data *zend_init_dynamic_call_string(zend_s
 
 		if (UNEXPECTED(!(fbc->common.fn_flags & ZEND_ACC_STATIC))) {
 			zend_non_static_method_call(fbc);
+			if (fbc->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) {
+				zend_string_release_ex(fbc->common.function_name, 0);
+				zend_free_trampoline(fbc);
+			}
 			return NULL;
 		}
 		if (EXPECTED(fbc->type == ZEND_USER_FUNCTION) && UNEXPECTED(!RUN_TIME_CACHE(&fbc->op_array))) {
@@ -4129,6 +4133,10 @@ static zend_never_inline zend_execute_data *zend_init_dynamic_call_array(zend_ar
 			}
 			if (!(fbc->common.fn_flags & ZEND_ACC_STATIC)) {
 				zend_non_static_method_call(fbc);
+				if (fbc->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) {
+					zend_string_release_ex(fbc->common.function_name, 0);
+					zend_free_trampoline(fbc);
+				}
 				return NULL;
 			}
 			object_or_called_scope = called_scope;
author	Nikita Popov <nikita.ppv@gmail.com>	2021-02-22 10:32:28 +0100
committer	Nikita Popov <nikita.ppv@gmail.com>	2021-02-22 10:32:59 +0100
commit	ab989441957956522c1663f1a0662067afbfdb6c (patch)
tree	87be3019fe5ca3bd1fb1e96c00e751a5ffb4eaf9 /Zend/zend_execute.c
parent	ed4f90f0c7ba205defcbdd0079b14d883354eaa2 (diff)
download	php-git-ab989441957956522c1663f1a0662067afbfdb6c.tar.gz