Fix may_have_extra_named_args flag for ZEND_AST_UNPACK

nielsdos · nielsdos · commit 0b3e637aec21 · 2025-01-21T19:26:49.000+01:00
The check for `!fbc || (fbc->common.fn_flags & ZEND_ACC_VARIADIC)` is performed after `fbc` is set to NULL, so this always returns true. This results in `ZEND_FCALL_MAY_HAVE_EXTRA_NAMED_PARAMS` always being set for unpack sends. Fix it by moving the flag updates to the point before setting `fbc` to NULL. Closes GH-17534.
diff --git a/NEWS b/NEWS
@@ -14,6 +14,7 @@ PHP                                                                        NEWS
   . Fixed potential OOB when checking for trailing spaces on Windows. (cmb)
   . Fixed bug GH-17408 (Assertion failure Zend/zend_exceptions.c).
     (nielsdos, ilutov)
+  . Fix may_have_extra_named_args flag for ZEND_AST_UNPACK. (nielsdos)
 
 - DOM:
   . Fixed bug GH-17500 (Segfault with requesting nodeName on nameless doctype).
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
@@ -3661,6 +3661,12 @@ static uint32_t zend_compile_args(
 					"Cannot use argument unpacking after named arguments");
 			}
 
+			/* Unpack may contain named arguments. */
+			may_have_undef = 1;
+			if (!fbc || (fbc->common.fn_flags & ZEND_ACC_VARIADIC)) {
+				*may_have_extra_named_args = 1;
+			}
+
 			uses_arg_unpack = 1;
 			fbc = NULL;
 
@@ -3669,11 +3675,6 @@ static uint32_t zend_compile_args(
 			opline->op2.num = arg_count;
 			opline->result.var = EX_NUM_TO_VAR(arg_count - 1);
 
-			/* Unpack may contain named arguments. */
-			may_have_undef = 1;
-			if (!fbc || (fbc->common.fn_flags & ZEND_ACC_VARIADIC)) {
-				*may_have_extra_named_args = 1;
-			}
 			continue;
 		}
 
