Reset user func trampoline values FFI may overwrite

iluuu1994 · iluuu1994 · commit 017062fd1b01 · 2023-03-23T20:30:56.000+01:00
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -1271,6 +1271,13 @@ ZEND_API zend_function *zend_get_call_trampoline_func(zend_class_entry *ce, zend
 	func->required_num_args = 0;
 	func->arg_info = (zend_arg_info *) arg_info;
 
+	// These maybe overwritten by FFI zend_ffi_cdata_get_closure()
+	// (handler, module, reserved[0], reserved[1])
+	func->cache_size = 0;
+	func->last_var = 0;
+	func->last = 0;
+	ZEND_MAP_PTR(func->static_variables_ptr) = NULL;
+
 	return (zend_function*)func;
 }
 /* }}} */
diff --git a/ext/ffi/tests/trampoline_reset.phpt b/ext/ffi/tests/trampoline_reset.phpt
@@ -0,0 +1,37 @@
+--TEST--
+Test
+--EXTENSIONS--
+ffi
+--SKIPIF--
+<?php
+try {
+    $libc = FFI::cdef("int printf(const char *format, ...);", "libc.so.6");
+} catch (Throwable $_) {
+    die('skip libc.so.6 not available');
+}
+?>
+--INI--
+ffi.enable=1
+--FILE--
+<?php
+class Test
+{
+	public static function __callStatic($name, $args)
+	{
+		echo "$name called\n";
+	}
+}
+
+Test::works1();
+Test::works2();
+
+$ffi = FFI::cdef('int printf(const char *format, ...);', 'libc.so.6');
+$ffi->printf("Hello %s!\n", "world");
+
+Test::breaks();
+?>
+--EXPECT--
+works1 called
+works2 called
+breaks called
+Hello world!
