Reset user func trampoline values FFI may overwrite

iluuu1994 · iluuu1994 · commit 0a8518bbfe18 · 2023-03-27T16:04:37.000+02:00
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -1253,6 +1253,9 @@ ZEND_API zend_function *zend_get_call_trampoline_func(zend_class_entry *ce, zend
 	ZEND_MAP_PTR_INIT(func->run_time_cache, (void***)&dummy);
 	func->scope = fbc->common.scope;
 	/* reserve space for arguments, local and temporary variables */
+	/* last_var is overwritten by zend_ffi_cdata_get_closure() (overlapping
+	 * internal function data) so we need to reset it */
+	func->last_var = 0;
 	func->T = (fbc->type == ZEND_USER_FUNCTION)? MAX(fbc->op_array.last_var + fbc->op_array.T, 2) : 2;
 	func->filename = (fbc->type == ZEND_USER_FUNCTION)? fbc->op_array.filename : ZSTR_EMPTY_ALLOC();
 	func->line_start = (fbc->type == ZEND_USER_FUNCTION)? fbc->op_array.line_start : 0;
diff --git a/ext/ffi/tests/trampoline_reset.phpt b/ext/ffi/tests/trampoline_reset.phpt
@@ -0,0 +1,37 @@
+--TEST--
+Test
+--EXTENSIONS--
+ffi
+--SKIPIF--
+<?php
+try {
+    $libc = FFI::cdef("int printf(const char *format, ...);", "libc.so.6");
+} catch (Throwable $_) {
+    die('skip libc.so.6 not available');
+}
+?>
+--INI--
+ffi.enable=1
+--FILE--
+<?php
+class Test
+{
+	public static function __callStatic($name, $args)
+	{
+		echo "$name called\n";
+	}
+}
+
+Test::works1();
+Test::works2();
+
+$ffi = FFI::cdef('int printf(const char *format, ...);', 'libc.so.6');
+$ffi->printf("Hello %s!\n", "world");
+
+Test::breaks();
+?>
+--EXPECT--
+works1 called
+works2 called
+breaks called
+Hello world!
