Fix usage of casted string in ReflectionParameter ctor

Fixes oss-fuzz #27755.

diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
index 620d95afa49e8441f52fb74f78cde81c58c3983a..6384e2b4104edba4c607c4bcd6e720d71a34154f 100644 (file)
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@@ -2306,10 +2306,10 @@ ZEND_METHOD(reflection_parameter, __construct)
                                        /* nothing to do. don't set is_closure since is the invoke handler,
                                           not the closure itself */
                                } else if ((fptr = zend_hash_find_ptr(&ce->function_table, lcname)) == NULL) {
+                                       zend_throw_exception_ex(reflection_exception_ptr, 0,
+                                               "Method %s::%s() does not exist", ZSTR_VAL(ce->name), ZSTR_VAL(name));
                                        zend_string_release(name);
                                        zend_string_release(lcname);
-                                       zend_throw_exception_ex(reflection_exception_ptr, 0,
-                                               "Method %s::%s() does not exist", ZSTR_VAL(ce->name), Z_STRVAL_P(method));
                                        return;
                                }
                                zend_string_release(name);

diff --git a/ext/reflection/tests/ReflectionParameter_ctor_cast.phpt b/ext/reflection/tests/ReflectionParameter_ctor_cast.phpt
new file mode 100644 (file)
index 0000000..10f4564
--- /dev/null
+++ b/ext/reflection/tests/ReflectionParameter_ctor_cast.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Test method name string cast in ReflectionParameter ctor
+--FILE--
+<?php
+
+class A {}
+try {
+    new ReflectionParameter([
+        A::class,
+        new class { public function __toString() { return 'method'; } }
+    ], 'param');
+} catch (ReflectionException $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Method A::method() does not exist