From d3b6fbe39bc74920da5e73a546208252a01f9586 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Fri, 1 Oct 2010 11:53:04 +0000
Subject: [PATCH] Fixed bug #52940 (call_user_func_array still allows call-time
 pass-by-reference). (cataphract@php.net)

---
 Zend/tests/bug52940.phpt                      | 23 +++++++++++++++++++
 Zend/zend_execute_API.c                       | 20 ++++++++--------
 .../tests/array/array_map_variation19.phpt    |  2 +-
 .../call_user_func_array_variation_001.phpt   |  2 +-
 4 files changed, 34 insertions(+), 13 deletions(-)
 create mode 100644 Zend/tests/bug52940.phpt

diff --git a/Zend/tests/bug52940.phpt b/Zend/tests/bug52940.phpt
new file mode 100644
index 0000000000..f8d31c0dbe
--- /dev/null
+++ b/Zend/tests/bug52940.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #52940 (call_user_func_array still allows call-time pass-by-reference)
+--FILE--
+<?php
+function foo($a) {
+	$a++;
+	var_dump($a);	
+}
+function bar(&$a) {
+        $a++;
+        var_dump($a);
+}
+$a = 1;
+call_user_func_array("foo", array(&$a));
+var_dump($a);
+call_user_func_array("bar", array(&$a));
+var_dump($a);
+?>
+--EXPECT--
+int(2)
+int(1)
+int(2)
+int(2)
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index f9c9bce99f..1f1a2b13d9 100644
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -850,17 +850,8 @@ int zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache TS
 	for (i=0; i<fci->param_count; i++) {
 		zval *param;
 
-		if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION 
-			&& (EX(function_state).function->common.fn_flags & ZEND_ACC_CALL_VIA_HANDLER) == 0 
-			&& !ARG_SHOULD_BE_SENT_BY_REF(EX(function_state).function, i + 1)
-			&& PZVAL_IS_REF(*fci->params[i])) {
-			SEPARATE_ZVAL(fci->params[i]);
-		}
-
-		if (ARG_SHOULD_BE_SENT_BY_REF(EX(function_state).function, i + 1)
-			&& !PZVAL_IS_REF(*fci->params[i])) {
-
-			if (Z_REFCOUNT_PP(fci->params[i]) > 1) {
+		if (ARG_SHOULD_BE_SENT_BY_REF(EX(function_state).function, i + 1)) {
+			if (!PZVAL_IS_REF(*fci->params[i]) && Z_REFCOUNT_PP(fci->params[i]) > 1) {
 				zval *new_zval;
 
 				if (fci->no_separation) {
@@ -888,6 +879,13 @@ int zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache TS
 			Z_ADDREF_PP(fci->params[i]);
 			Z_SET_ISREF_PP(fci->params[i]);
 			param = *fci->params[i];
+		} else if (PZVAL_IS_REF(*fci->params[i]) &&
+		           /* don't separate references for __call */
+		           (EX(function_state).function->common.fn_flags & ZEND_ACC_CALL_VIA_HANDLER) == 0 ) {
+			ALLOC_ZVAL(param);
+			*param = **(fci->params[i]);
+			INIT_PZVAL(param);
+			zval_copy_ctor(param);
 		} else if (*fci->params[i] != &EG(uninitialized_zval)) {
 			Z_ADDREF_PP(fci->params[i]);
 			param = *fci->params[i];
diff --git a/ext/standard/tests/array/array_map_variation19.phpt b/ext/standard/tests/array/array_map_variation19.phpt
index 9478f70eff..0e56428a03 100644
--- a/ext/standard/tests/array/array_map_variation19.phpt
+++ b/ext/standard/tests/array/array_map_variation19.phpt
@@ -34,7 +34,7 @@ array(2) {
 }
 array(2) {
   [0]=>
-  &string(7) "changed"
+  &string(10) "original.0"
   [1]=>
   string(10) "original.1"
 }
\ No newline at end of file
diff --git a/ext/standard/tests/general_functions/call_user_func_array_variation_001.phpt b/ext/standard/tests/general_functions/call_user_func_array_variation_001.phpt
index 340e4e5daf..c05a329342 100644
--- a/ext/standard/tests/general_functions/call_user_func_array_variation_001.phpt
+++ b/ext/standard/tests/general_functions/call_user_func_array_variation_001.phpt
@@ -50,7 +50,7 @@ array(1) {
 ------ Calling by_val() with referenced argument ------
 array(1) {
   [0]=>
-  &string(7) "changed"
+  &string(8) "original"
 }
 ------ Calling by_ref() with referenced argument ------
 array(1) {
-- 
2.40.0