From b093abcde3316d280825c0b1d2f797a81cd40323 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 10 Oct 2019 09:53:24 +0200
Subject: [PATCH] Fix exception handling for call_user_func_array() with
 invalid type

Now that this throws an exception, the call frame cleanup will be
handled by exception handling -- remove it here to avoid double
frees.
---
 .../call_user_func_array_invalid_type.phpt     | 18 ++++++++++++++++++
 Zend/zend_vm_def.h                             |  5 -----
 Zend/zend_vm_execute.h                         |  5 -----
 3 files changed, 18 insertions(+), 10 deletions(-)
 create mode 100644 Zend/tests/call_user_func_array_invalid_type.phpt

diff --git a/Zend/tests/call_user_func_array_invalid_type.phpt b/Zend/tests/call_user_func_array_invalid_type.phpt
new file mode 100644
index 0000000000..d1c70f0fef
--- /dev/null
+++ b/Zend/tests/call_user_func_array_invalid_type.phpt
@@ -0,0 +1,18 @@
+--TEST--
+call_user_func_array() generating TypeError
+--FILE--
+<?php
+class drv {
+    function func() {
+    }
+}
+
+$drv = new drv;
+try {
+    call_user_func_array(array($drv, 'func'), null);
+} catch (TypeError $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+call_user_func_array() expects parameter 2 to be array, null given
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index ad25247b58..39fc0bd985 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -4950,11 +4950,6 @@ ZEND_VM_HANDLER(119, ZEND_SEND_ARRAY, ANY, ANY, NUM)
 			}
 		}
 		zend_type_error("call_user_func_array() expects parameter 2 to be array, %s given", zend_get_type_by_const(Z_TYPE_P(args)));
-		if (ZEND_CALL_INFO(EX(call)) & ZEND_CALL_CLOSURE) {
-			OBJ_RELEASE(ZEND_CLOSURE_OBJECT(EX(call)->func));
-		} else if (ZEND_CALL_INFO(EX(call)) & ZEND_CALL_RELEASE_THIS) {
-			OBJ_RELEASE(Z_OBJ(EX(call)->This));
-		}
 		FREE_UNFETCHED_OP2();
 		FREE_OP1();
 		HANDLE_EXCEPTION();
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index aeb629ced9..4fee913c32 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -1968,11 +1968,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_SEND_ARRAY_SPEC_HANDLER(ZEND_O
 			}
 		}
 		zend_type_error("call_user_func_array() expects parameter 2 to be array, %s given", zend_get_type_by_const(Z_TYPE_P(args)));
-		if (ZEND_CALL_INFO(EX(call)) & ZEND_CALL_CLOSURE) {
-			OBJ_RELEASE(ZEND_CLOSURE_OBJECT(EX(call)->func));
-		} else if (ZEND_CALL_INFO(EX(call)) & ZEND_CALL_RELEASE_THIS) {
-			OBJ_RELEASE(Z_OBJ(EX(call)->This));
-		}
 		FREE_UNFETCHED_OP(opline->op2_type, opline->op2.var);
 		FREE_OP(opline->op1_type, opline->op1.var);
 		HANDLE_EXCEPTION();
-- 
2.50.1