From d0fbddcc2b363bb69ecc10c507f8172a47d1727b Mon Sep 17 00:00:00 2001
From: Zeev Suraski <zeev@php.net>
Date: Sun, 29 Oct 2000 19:16:29 +0000
Subject: [PATCH] Fix a corruption bug, when erroneously allowing to send
 non-variables by reference (several bug-db reports seem to originate in this
 bug)

---
 Zend/zend_compile.c | 10 +++++-----
 Zend/zend_compile.h |  2 ++
 Zend/zend_execute.c |  6 +++++-
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 84cc98411e..8c39273e98 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -942,20 +942,19 @@ void do_pass_param(znode *param, int op, int offset CLS_DC)
 		arg_types = NULL;
 	}
 
-	if (op == ZEND_SEND_VAL) {
+	if (op==ZEND_SEND_VAL) {
 		switch (param->op_type) {
 			case IS_CONST:	/* constants behave like variables when passed to functions,
 							 * as far as reference counting is concerned.  Treat them
 							 * as if they were variables here.
 							 */
 			case IS_VAR:
-				op = ZEND_SEND_VAR;
+				op = ZEND_SEND_VAR_NO_REF;
 				break;
 		}
 	}
-
-
-	if (ARG_SHOULD_BE_SENT_BY_REF(offset, 1, arg_types)) {
+	if (op!=ZEND_SEND_VAR_NO_REF
+		&& ARG_SHOULD_BE_SENT_BY_REF(offset, 1, arg_types)) {
 		/* change to passing by reference */
 		switch (param->op_type) {
 			case IS_VAR:
@@ -969,6 +968,7 @@ void do_pass_param(znode *param, int op, int offset CLS_DC)
 
 	if (original_op==ZEND_SEND_VAR) {
 		switch(op) {
+			case ZEND_SEND_VAR_NO_REF:
 			case ZEND_SEND_VAR:
 				if (function_ptr) {
 					do_end_variable_parse(BP_VAR_R, 0 CLS_CC);
diff --git a/Zend/zend_compile.h b/Zend/zend_compile.h
index 1abec93ebe..dee9c12b9e 100644
--- a/Zend/zend_compile.h
+++ b/Zend/zend_compile.h
@@ -537,6 +537,8 @@ int zendlex(znode *zendlval CLS_DC);
 
 #define ZEND_TICKS					105
 
+#define ZEND_SEND_VAR_NO_REF		106
+
 /* end of block */
 
 
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index f4c3d030ba..6035be3d0c 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1651,9 +1651,13 @@ do_fcall_common:
 				}
 				NEXT_OPCODE();
 			case ZEND_SEND_VAR:
+			case ZEND_SEND_VAR_NO_REF:
 				if (opline->extended_value==ZEND_DO_FCALL_BY_NAME
 					&& ARG_SHOULD_BE_SENT_BY_REF(opline->op2.u.opline_num, fbc, fbc->common.arg_types)) {
-						goto send_by_ref;
+					if (opline->opcode==ZEND_SEND_VAR_NO_REF) {
+						zend_error(E_ERROR, "Only variables can be passed by reference");
+					}
+					goto send_by_ref;
 				}
 				{
 					zval *varptr;
-- 
2.50.1