From fad8fe94a88a81fe1308e9715f3a54fb3ae8dabd Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Tue, 10 Mar 2015 14:05:14 +0300
Subject: [PATCH] Fixed access on uninitialized data in
 Zend/tests/closure_019.phpt

---
 Zend/zend_vm_def.h     | 2 ++
 Zend/zend_vm_execute.h | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 9958e18cfb..d60cf6ad62 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -3526,6 +3526,8 @@ ZEND_VM_HANDLER(116, ZEND_SEND_VAL_EX, CONST|TMP, ANY)
 	if (ARG_MUST_BE_SENT_BY_REF(EX(call)->func, opline->op2.num)) {
 		zend_error(E_EXCEPTION | E_ERROR, "Cannot pass parameter %d by reference", opline->op2.num);
 		FREE_UNFETCHED_OP1();
+		arg = ZEND_CALL_VAR(EX(call), opline->result.var);
+		ZVAL_UNDEF(arg);
 		HANDLE_EXCEPTION();
 	}
 	value = GET_OP1_ZVAL_PTR(BP_VAR_R);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 3f2cb215b2..2ae3059fc3 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -2887,6 +2887,8 @@ static int ZEND_FASTCALL  ZEND_SEND_VAL_EX_SPEC_CONST_HANDLER(ZEND_OPCODE_HANDLE
 	if (ARG_MUST_BE_SENT_BY_REF(EX(call)->func, opline->op2.num)) {
 		zend_error(E_EXCEPTION | E_ERROR, "Cannot pass parameter %d by reference", opline->op2.num);
 
+		arg = ZEND_CALL_VAR(EX(call), opline->result.var);
+		ZVAL_UNDEF(arg);
 		HANDLE_EXCEPTION();
 	}
 	value = EX_CONSTANT(opline->op1);
@@ -9360,6 +9362,8 @@ static int ZEND_FASTCALL  ZEND_SEND_VAL_EX_SPEC_TMP_HANDLER(ZEND_OPCODE_HANDLER_
 	if (ARG_MUST_BE_SENT_BY_REF(EX(call)->func, opline->op2.num)) {
 		zend_error(E_EXCEPTION | E_ERROR, "Cannot pass parameter %d by reference", opline->op2.num);
 		zval_ptr_dtor_nogc(EX_VAR(opline->op1.var));
+		arg = ZEND_CALL_VAR(EX(call), opline->result.var);
+		ZVAL_UNDEF(arg);
 		HANDLE_EXCEPTION();
 	}
 	value = _get_zval_ptr_tmp(opline->op1.var, execute_data, &free_op1);
-- 
2.40.0