Fixed #75220 - Segfault when calling is_callable on parent

diff --git a/NEWS b/NEWS
index 37520dc7d30e759fe829767ca8662c8f88b149db..c3c39bb418d3fdaa59393850f8ec86798504be98 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,8 @@ PHP                                                                        NEWS
   . Fixed bug #75236 (infinite loop when printing an error-message). (Andrea)
   . Fixed bug #75252 (Incorrect token formatting on two parse errors in one
     request). (Nikita)
+  . Fixed bug #75220 (Segfault when calling is_callable on parent). 
+    (andrewnester)
 
 - SPL:
   . Fixed bug #73629 (SplDoublyLinkedList::setIteratorMode masks intern flags).

diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index 262429c79de3df6416f78879acd95e9186b85d61..d7b22791849357e4b1ebd9f02729730788e17334 100644 (file)
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -3067,7 +3067,8 @@ get_function_via_handler:
                                            (!fcc->function_handler->common.scope ||
                                             !instanceof_function(ce_org, fcc->function_handler->common.scope))) {
                                                if (fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) {
-                                                       if (fcc->function_handler->type != ZEND_OVERLOADED_FUNCTION) {
+                                                       if (fcc->function_handler->type != ZEND_OVERLOADED_FUNCTION && 
+                                                               fcc->function_handler->common.function_name) {
                                                                zend_string_release(fcc->function_handler->common.function_name);
                                                        }
                                                        zend_free_trampoline(fcc->function_handler);
@@ -3237,7 +3238,8 @@ again:
                                ((fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) ||
                             fcc->function_handler->type == ZEND_OVERLOADED_FUNCTION_TEMPORARY ||
                             fcc->function_handler->type == ZEND_OVERLOADED_FUNCTION)) {
-                               if (fcc->function_handler->type != ZEND_OVERLOADED_FUNCTION) {
+                               if (fcc->function_handler->type != ZEND_OVERLOADED_FUNCTION && 
+                                       fcc->function_handler->common.function_name) {
                                        zend_string_release(fcc->function_handler->common.function_name);
                                }
                                zend_free_trampoline(fcc->function_handler);
@@ -3324,7 +3326,8 @@ again:
                                                ((fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) ||
                                             fcc->function_handler->type == ZEND_OVERLOADED_FUNCTION_TEMPORARY ||
                                             fcc->function_handler->type == ZEND_OVERLOADED_FUNCTION)) {
-                                               if (fcc->function_handler->type != ZEND_OVERLOADED_FUNCTION) {
+                                               if (fcc->function_handler->type != ZEND_OVERLOADED_FUNCTION && 
+                                                       fcc->function_handler->common.function_name) {
                                                        zend_string_release(fcc->function_handler->common.function_name);
                                                }
                                                zend_free_trampoline(fcc->function_handler);

diff --git a/ext/standard/tests/bug75220.phpt b/ext/standard/tests/bug75220.phpt
new file mode 100644 (file)
index 0000000..f5820a1
--- /dev/null
+++ b/ext/standard/tests/bug75220.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Bug #75220 (is_callable crash for 'parent')
+--FILE--
+<?php
+
+$a = new A();
+$a->bar('foo');
+
+class B {};
+class A extends B
+{
+       function bar($func)
+       {
+               var_dump('foo');
+               var_dump(is_callable('parent::foo'));
+               var_dump(is_callable(array('parent', 'foo')));
+       }
+       
+       function __call($func, $args)
+       {
+       }
+};
+
+?>
+--EXPECT--
+string(3) "foo"
+bool(false)
+bool(false)
\ No newline at end of file