Fixed bug #69025 (Invalid read of size 4 when calling __callStatic)

diff --git a/Zend/tests/bug69025.phpt b/Zend/tests/bug69025.phpt
new file mode 100644 (file)
index 0000000..389c09f
--- /dev/null
+++ b/Zend/tests/bug69025.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #69025 (Invalid read of size 4 when calling __callStatic)
+--FILE--
+<?php
+class A {
+       public static function __callStatic($method, $args)
+       {
+       }
+}
+
+A::init();
+?>
+OK
+--EXPECT--
+OK

diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index 7a94a3dcd30de7a217c8e9adbe647597fbc1894c..9a376aa1a00bd488c45e6a8f2029dbade40a9766 100644 (file)
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -936,6 +936,7 @@ ZEND_API void zend_std_call_user_call(INTERNAL_FUNCTION_PARAMETERS) /* {{{ */
 
        /* destruct the function also, then - we have allocated it in get_method */
        efree_size(func, sizeof(zend_internal_function));
+       execute_data->func = NULL;
 }
 /* }}} */
 
@@ -1156,6 +1157,7 @@ ZEND_API void zend_std_callstatic_user_call(INTERNAL_FUNCTION_PARAMETERS) /* {{{
 
        /* destruct the function also, then - we have allocated it in get_method */
        efree_size(func, sizeof(zend_internal_function));
+       execute_data->func = NULL;
 }
 /* }}} */
 

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 8a1bda8cd76fa0e7100845b651361888c912dbea..f437f430d5f1fef430a275e227d2e592c08428ee 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -2871,14 +2871,16 @@ ZEND_VM_HANDLER(60, ZEND_DO_FCALL, ANY, ANY)
                } else {
                        zend_execute_internal(call, ret);
                }
+               
+               ZEND_ASSERT(
+                       !call->func ||
+                       !(call->func->common.fn_flags & ZEND_ACC_HAS_RETURN_TYPE) ||
+                       zend_verify_internal_return_type(call->func, EX_VAR(opline->result.var)));
+
                EG(current_execute_data) = call->prev_execute_data;
                zend_vm_stack_free_args(call);
                zend_vm_stack_free_call_frame(call);
 
-               ZEND_ASSERT(
-                       !(fbc->common.fn_flags & ZEND_ACC_HAS_RETURN_TYPE) ||
-                       zend_verify_internal_return_type(fbc, EX_VAR(opline->result.var)));
-
                if (!RETURN_VALUE_USED(opline)) {
                        zval_ptr_dtor(EX_VAR(opline->result.var));
                }

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 19e1a741b5df6d16a873d8e1fa860fe36f5a90bb..3e32191a034e7bf06ce4620bdb515f8d5525d393 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -597,14 +597,16 @@ static int ZEND_FASTCALL  ZEND_DO_FCALL_SPEC_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
                } else {
                        zend_execute_internal(call, ret);
                }
+
+               ZEND_ASSERT(
+                       !call->func ||
+                       !(call->func->common.fn_flags & ZEND_ACC_HAS_RETURN_TYPE) ||
+                       zend_verify_internal_return_type(call->func, EX_VAR(opline->result.var)));
+
                EG(current_execute_data) = call->prev_execute_data;
                zend_vm_stack_free_args(call);
                zend_vm_stack_free_call_frame(call);
 
-               ZEND_ASSERT(
-                       !(fbc->common.fn_flags & ZEND_ACC_HAS_RETURN_TYPE) ||
-                       zend_verify_internal_return_type(fbc, EX_VAR(opline->result.var)));
-
                if (!RETURN_VALUE_USED(opline)) {
                        zval_ptr_dtor(EX_VAR(opline->result.var));
                }