From 2e218180efebeac4fe0fe3f36e39fce8fc513468 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri, 4 Sep 2020 09:41:27 +0200
Subject: Release call trampolines in zpp fcc

When using zpp 'f' or Z_PARAM_FUNC, if the fcc points to a call
trampoline release it immediately and force zend_call_function
to refetch it. This may require additional callability checks
if __call is used, but avoids the need to carefully free fcc
values in all internal functions -- in some cases this is not
simple, as a type error might be triggered by a later argument
in the same zpp call.

This fixes oss-fuzz #25390.

Closes GH-6073.
---
 Zend/zend_builtin_functions.c | 2 --
 1 file changed, 2 deletions(-)

(limited to 'Zend/zend_builtin_functions.c')

diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
index 906f0666ed..c3a2a1b63f 100644
--- a/Zend/zend_builtin_functions.c
+++ b/Zend/zend_builtin_functions.c
@@ -1198,7 +1198,6 @@ ZEND_FUNCTION(set_error_handler)
 
 	ZVAL_COPY(&EG(user_error_handler), &(fci.function_name));
 	EG(user_error_handler_error_reporting) = (int)error_type;
-	zend_release_fcall_info_cache(&fcc);
 }
 /* }}} */
 
@@ -1254,7 +1253,6 @@ ZEND_FUNCTION(set_exception_handler)
 	}
 
 	ZVAL_COPY(&EG(user_exception_handler), &(fci.function_name));
-	zend_release_fcall_info_cache(&fcc);
 }
 /* }}} */
 
-- 
cgit v1.2.1