From bc9f2fb8dfadc1dba4264695ded28f673c54dc75 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikic@php.net>
Date: Tue, 10 Mar 2015 18:17:56 +0100
Subject: [PATCH] Fixed bug #69212

---
 NEWS                     |  2 ++
 Zend/tests/bug69212.phpt | 27 +++++++++++++++++++++++++++
 Zend/zend_vm_def.h       |  4 ++++
 Zend/zend_vm_execute.h   |  4 ++++
 4 files changed, 37 insertions(+)
 create mode 100644 Zend/tests/bug69212.phpt

diff --git a/NEWS b/NEWS
index 826be4cb60..3a431bfad8 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,8 @@ PHP                                                                        NEWS
   . Fixed bug #67626 (User exceptions not properly handled in streams). 
     (Julian)
   . Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai)
+  . Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in
+    __call/... arg passing). (Nikita)
 
 - Filter:
   . Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other
diff --git a/Zend/tests/bug69212.phpt b/Zend/tests/bug69212.phpt
new file mode 100644
index 0000000000..801073e2ca
--- /dev/null
+++ b/Zend/tests/bug69212.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #69212: Leaking VIA_HANDLER func when exception thrown in __call/... arg passing
+--FILE--
+<?php
+
+class Test {
+    public static function __callStatic($method, $args) {}
+    public function __call($method, $args) {}
+}
+
+function do_throw() { throw new Exception; }
+
+try {
+    Test::foo(do_throw());
+} catch (Exception $e) {
+    echo "Caught!\n";
+}
+try {
+    (new Test)->bar(do_throw());
+} catch (Exception $e) {
+    echo "Caught!\n";
+}
+
+?>
+--EXPECT--
+Caught!
+Caught!
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 8954e69cc1..66758d47fa 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -5042,6 +5042,10 @@ ZEND_VM_HANDLER(149, ZEND_HANDLE_EXCEPTION, ANY, ANY)
 				}
 				zval_ptr_dtor(&call->object);
 			}
+			if (call->fbc->common.fn_flags & ZEND_ACC_CALL_VIA_HANDLER) {
+				efree((char *) call->fbc->common.function_name);
+				efree(call->fbc);
+			}
 			call--;
 		} while (call >= EX(call_slots));
 		EX(call) = NULL;
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index c0b64b61a3..58ca552b82 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -1022,6 +1022,10 @@ static int ZEND_FASTCALL  ZEND_HANDLE_EXCEPTION_SPEC_HANDLER(ZEND_OPCODE_HANDLER
 				}
 				zval_ptr_dtor(&call->object);
 			}
+			if (call->fbc->common.fn_flags & ZEND_ACC_CALL_VIA_HANDLER) {
+				efree((char *) call->fbc->common.function_name);
+				efree(call->fbc);
+			}
 			call--;
 		} while (call >= EX(call_slots));
 		EX(call) = NULL;
-- 
2.49.0