fix regression bug #50394: Reference argument converted to value in __call

diff --git a/Zend/tests/bug50394.phpt b/Zend/tests/bug50394.phpt
new file mode 100644 (file)
index 0000000..e6069d3
--- /dev/null
+++ b/Zend/tests/bug50394.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #50394: Reference argument converted to value in __call
+--FILE--
+<?php
+function inc( &$x ) { $x++; }
+
+class Proxy {
+        function __call( $name, $args ) {
+               echo "$name called!\n";
+                call_user_func_array( 'inc', $args );
+        }
+}
+
+$arg = 1;
+$args = array( &$arg );
+$proxy = new Proxy;
+call_user_func_array( array( $proxy, 'bar' ), $args );
+call_user_func_array( array( $proxy, 'bar' ), array(&$arg) );
+var_dump($arg);
+--EXPECT--     
+bar called!
+bar called!
+int(3)
+

diff --git a/Zend/tests/call_with_refs.phpt b/Zend/tests/call_with_refs.phpt
new file mode 100644 (file)
index 0000000..acad134
--- /dev/null
+++ b/Zend/tests/call_with_refs.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Check call to non-ref function with call-time refs
+--FILE--
+<?php
+function my_errorhandler($errno,$errormsg) {
+  global $my_var;
+  $my_var=0x12345;
+  echo $errormsg."\n";
+  return true;
+}
+$oldhandler = set_error_handler("my_errorhandler");
+$my_var = str_repeat("A",64);
+$data = call_user_func_array("substr_replace",array(&$my_var, new StdClass(),1));
+echo "OK!";
+--EXPECT--     
+Object of class stdClass could not be converted to string
+Object of class stdClass to string conversion
+OK!

diff --git a/Zend/zend_compile.h b/Zend/zend_compile.h
index 121db7dd78bb631d989e9b0cfdf34448cbff2591..709ae6d0f6c2c843b274ad2bbb99f02c771a49e0 100644 (file)
--- a/Zend/zend_compile.h
+++ b/Zend/zend_compile.h
@@ -143,6 +143,10 @@ typedef struct _zend_try_catch_element {
 /* deprecation flag */
 #define ZEND_ACC_DEPRECATED 0x40000
 
+/* function flag for internal user call handler __call */
+#define ZEND_ACC_CALL_VIA_HANDLER     0x200000
+
+
 char *zend_visibility_string(zend_uint fn_flags);
 
 

diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index f402017f99e619c89349e0f326ec8261d258cf4c..16c13abae235262101b197fbc31f09278bcdf05e 100644 (file)
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -922,6 +922,7 @@ int zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache TS
                zval *param;
 
                if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION
+                       && (EX(function_state).function->common.fn_flags & ZEND_ACC_CALL_VIA_HANDLER) == 0
                        && !ARG_SHOULD_BE_SENT_BY_REF(EX(function_state).function, i + 1)
                        && PZVAL_IS_REF(*fci->params[i])) {
                        SEPARATE_ZVAL(fci->params[i]);

diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index d56c263d5a61d8ebaf6acb655b4ba75318e60dbf..41c2e08e87f775a097641408c9ddd340c72a4059 100644 (file)
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -771,7 +771,7 @@ static inline union _zend_function *zend_get_user_call_function(zend_class_entry
        call_user_call->arg_info = NULL;
        call_user_call->num_args = 0;
        call_user_call->scope = ce;
-       call_user_call->fn_flags = 0;
+       call_user_call->fn_flags = ZEND_ACC_CALL_VIA_HANDLER;
        call_user_call->function_name = estrndup(method_name, method_len);
        call_user_call->pass_rest_by_reference = 0;
        call_user_call->return_reference = ZEND_RETURN_VALUE;