Fixed access to memory that is already freed (in case of __call() method)

Author: dstogov

Zend/zend_vm_def.h

@@ -1830,6 +1830,8 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY)
 		}
 	}
 	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION) {
+		unsigned char return_reference = EX(function_state).function->common.return_reference;
+
 		ALLOC_ZVAL(EX_T(opline->result.u.var).var.ptr);
 		INIT_ZVAL(*(EX_T(opline->result.u.var).var.ptr));
 
@@ -1865,7 +1867,7 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY)
 		if (!return_value_used) {
 			zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
 		} else {
-			EX_T(opline->result.u.var).var.fcall_returned_reference = EX(function_state).function->common.return_reference;
+			EX_T(opline->result.u.var).var.fcall_returned_reference = return_reference;
 		}
 	} else if (EX(function_state).function->type == ZEND_USER_FUNCTION) {
 		HashTable *calling_symbol_table;

Zend/zend_vm_execute.h

@@ -163,6 +163,8 @@ static int zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS)
 		}
 	}
 	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION) {
+		unsigned char return_reference = EX(function_state).function->common.return_reference;
+
 		ALLOC_ZVAL(EX_T(opline->result.u.var).var.ptr);
 		INIT_ZVAL(*(EX_T(opline->result.u.var).var.ptr));
 
@@ -198,7 +200,7 @@ static int zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS)
 		if (!return_value_used) {
 			zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
 		} else {
-			EX_T(opline->result.u.var).var.fcall_returned_reference = EX(function_state).function->common.return_reference;
+			EX_T(opline->result.u.var).var.fcall_returned_reference = return_reference;
 		}
 	} else if (EX(function_state).function->type == ZEND_USER_FUNCTION) {
 		HashTable *calling_symbol_table;