By nulling out the function_handler, so it will not get used
below. Reuse the existing helper for this purpose.
--- /dev/null
+--TEST--
+is_callable() with trampoline should not caused UAF
+--FILE--
+<?php
+
+class B {}
+class A extends B {
+ public function bar($func) {
+ var_dump(is_callable(array('parent', 'foo')));
+ }
+
+ public function __call($func, $args) {
+ }
+}
+
+class X {
+ public static function __callStatic($func, $args) {
+ }
+}
+
+$a = new A();
+// Extra X::foo() wrapper to force use of allocated trampoline.
+X::foo($a->bar('foo'));
+
+?>
+--EXPECT--
+bool(false)
if (strict_class &&
(!fcc->function_handler->common.scope ||
!instanceof_function(ce_org, fcc->function_handler->common.scope))) {
- if (fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) {
- if (fcc->function_handler->type != ZEND_OVERLOADED_FUNCTION &&
- fcc->function_handler->common.function_name) {
- zend_string_release_ex(fcc->function_handler->common.function_name, 0);
- }
- zend_free_trampoline(fcc->function_handler);
- }
+ zend_release_fcall_info_cache(fcc);
} else {
retval = 1;
call_via_handler = (fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) != 0;
projects / php / commitdiff