From 35aea97e42ebad10437688472fa03c6768ca6ea3 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Wed, 11 Feb 2015 17:41:21 +0300
Subject: [PATCH] Fixed bug #69025 (Invalid read of size 4 when calling
 __callStatic)

---
 Zend/tests/bug69025.phpt    | 15 +++++++++++++++
 Zend/zend_object_handlers.c |  2 ++
 Zend/zend_vm_def.h          | 10 ++++++----
 Zend/zend_vm_execute.h      | 10 ++++++----
 4 files changed, 29 insertions(+), 8 deletions(-)
 create mode 100644 Zend/tests/bug69025.phpt

diff --git a/Zend/tests/bug69025.phpt b/Zend/tests/bug69025.phpt
new file mode 100644
index 0000000000..389c09f75f
--- /dev/null
+++ b/Zend/tests/bug69025.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #69025 (Invalid read of size 4 when calling __callStatic)
+--FILE--
+<?php
+class A {
+	public static function __callStatic($method, $args)
+	{
+	}
+}
+
+A::init();
+?>
+OK
+--EXPECT--
+OK
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index 7a94a3dcd3..9a376aa1a0 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -936,6 +936,7 @@ ZEND_API void zend_std_call_user_call(INTERNAL_FUNCTION_PARAMETERS) /* {{{ */
 
 	/* destruct the function also, then - we have allocated it in get_method */
 	efree_size(func, sizeof(zend_internal_function));
+	execute_data->func = NULL;
 }
 /* }}} */
 
@@ -1156,6 +1157,7 @@ ZEND_API void zend_std_callstatic_user_call(INTERNAL_FUNCTION_PARAMETERS) /* {{{
 
 	/* destruct the function also, then - we have allocated it in get_method */
 	efree_size(func, sizeof(zend_internal_function));
+	execute_data->func = NULL;
 }
 /* }}} */
 
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 8a1bda8cd7..f437f430d5 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -2871,14 +2871,16 @@ ZEND_VM_HANDLER(60, ZEND_DO_FCALL, ANY, ANY)
 		} else {
 			zend_execute_internal(call, ret);
 		}
+		
+		ZEND_ASSERT(
+			!call->func ||
+			!(call->func->common.fn_flags & ZEND_ACC_HAS_RETURN_TYPE) ||
+			zend_verify_internal_return_type(call->func, EX_VAR(opline->result.var)));
+
 		EG(current_execute_data) = call->prev_execute_data;
 		zend_vm_stack_free_args(call);
 		zend_vm_stack_free_call_frame(call);
 
-		ZEND_ASSERT(
-			!(fbc->common.fn_flags & ZEND_ACC_HAS_RETURN_TYPE) ||
-			zend_verify_internal_return_type(fbc, EX_VAR(opline->result.var)));
-
 		if (!RETURN_VALUE_USED(opline)) {
 			zval_ptr_dtor(EX_VAR(opline->result.var));
 		}
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 19e1a741b5..3e32191a03 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -597,14 +597,16 @@ static int ZEND_FASTCALL  ZEND_DO_FCALL_SPEC_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 		} else {
 			zend_execute_internal(call, ret);
 		}
+
+		ZEND_ASSERT(
+			!call->func ||
+			!(call->func->common.fn_flags & ZEND_ACC_HAS_RETURN_TYPE) ||
+			zend_verify_internal_return_type(call->func, EX_VAR(opline->result.var)));
+
 		EG(current_execute_data) = call->prev_execute_data;
 		zend_vm_stack_free_args(call);
 		zend_vm_stack_free_call_frame(call);
 
-		ZEND_ASSERT(
-			!(fbc->common.fn_flags & ZEND_ACC_HAS_RETURN_TYPE) ||
-			zend_verify_internal_return_type(fbc, EX_VAR(opline->result.var)));
-
 		if (!RETURN_VALUE_USED(opline)) {
 			zval_ptr_dtor(EX_VAR(opline->result.var));
 		}
-- 
2.50.1