Fix freeing of dynamic call name

nikic · nikic · commit 189f625e2b2a · 2019-12-18T10:11:09.000+01:00
We need to free op2 if the call construction fails.

Also remove a redundant check for !call.
diff --git a/Zend/tests/dynamic_call_freeing.phpt b/Zend/tests/dynamic_call_freeing.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Freeing of function "name" when dynamic call fails
+--FILE--
+<?php
+
+try {
+    $bar = "bar";
+    ("foo" . $bar)();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    $bar = ["bar"];
+    (["foo"] + $bar)();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    (new stdClass)();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Call to undefined function foobar()
+Function name must be a string
+Function name must be a string
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -3344,11 +3344,11 @@ ZEND_VM_C_LABEL(try_function_name):
 		call = NULL;
 	}
 
+	FREE_OP2();
 	if (UNEXPECTED(!call)) {
 		HANDLE_EXCEPTION();
 	}
 
-	FREE_OP2();
 	if (OP2_TYPE & (IS_VAR|IS_TMP_VAR)) {
 		if (UNEXPECTED(EG(exception))) {
 			if (call) {
@@ -3360,8 +3360,6 @@ ZEND_VM_C_LABEL(try_function_name):
 			}
 			HANDLE_EXCEPTION();
 		}
-	} else if (UNEXPECTED(!call)) {
-		HANDLE_EXCEPTION();
 	}
 
 	call->prev_execute_data = EX(call);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
@@ -2137,8 +2137,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_DYNAMIC_CALL_SPEC_CONST_H
 			}
 			HANDLE_EXCEPTION();
 		}
-	} else if (UNEXPECTED(!call)) {
-		HANDLE_EXCEPTION();
 	}
 
 	call->prev_execute_data = EX(call);
@@ -2313,11 +2311,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_DYNAMIC_CALL_SPEC_TMPVAR_
 		call = NULL;
 	}
 
+	zval_ptr_dtor_nogc(free_op2);
 	if (UNEXPECTED(!call)) {
 		HANDLE_EXCEPTION();
 	}
 
-	zval_ptr_dtor_nogc(free_op2);
 	if ((IS_TMP_VAR|IS_VAR) & (IS_VAR|IS_TMP_VAR)) {
 		if (UNEXPECTED(EG(exception))) {
 			if (call) {
@@ -2329,8 +2327,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_DYNAMIC_CALL_SPEC_TMPVAR_
 			}
 			HANDLE_EXCEPTION();
 		}
-	} else if (UNEXPECTED(!call)) {
-		HANDLE_EXCEPTION();
 	}
 
 	call->prev_execute_data = EX(call);
@@ -2446,8 +2442,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_DYNAMIC_CALL_SPEC_CV_HAND
 			}
 			HANDLE_EXCEPTION();
 		}
-	} else if (UNEXPECTED(!call)) {
-		HANDLE_EXCEPTION();
 	}
 
 	call->prev_execute_data = EX(call);

Original file line number	Diff line number	Diff line change
`@@ -3344,11 +3344,11 @@ ZEND_VM_C_LABEL(try_function_name):`
`3344`	`3344`	`call = NULL;`
`3345`	`3345`	`}`
`3346`	`3346`
	`3347`	`+ FREE_OP2();`
`3347`	`3348`	`if (UNEXPECTED(!call)) {`
`3348`	`3349`	`HANDLE_EXCEPTION();`
`3349`	`3350`	`}`
`3350`	`3351`
`3351`		`- FREE_OP2();`
`3352`	`3352`	`if (OP2_TYPE & (IS_VAR\|IS_TMP_VAR)) {`
`3353`	`3353`	`if (UNEXPECTED(EG(exception))) {`
`3354`	`3354`	`if (call) {`
`@@ -3360,8 +3360,6 @@ ZEND_VM_C_LABEL(try_function_name):`
`3360`	`3360`	`}`
`3361`	`3361`	`HANDLE_EXCEPTION();`
`3362`	`3362`	`}`
`3363`		`- } else if (UNEXPECTED(!call)) {`
`3364`		`- HANDLE_EXCEPTION();`
`3365`	`3363`	`}`
`3366`	`3364`
`3367`	`3365`	`call->prev_execute_data = EX(call);`
Original file line number	Diff line number	Diff line change
`@@ -2137,8 +2137,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_DYNAMIC_CALL_SPEC_CONST_H`
`2137`	`2137`	`}`
`2138`	`2138`	`HANDLE_EXCEPTION();`
`2139`	`2139`	`}`
`2140`		`- } else if (UNEXPECTED(!call)) {`
`2141`		`- HANDLE_EXCEPTION();`
`2142`	`2140`	`}`
`2143`	`2141`
`2144`	`2142`	`call->prev_execute_data = EX(call);`
`@@ -2313,11 +2311,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_DYNAMIC_CALL_SPEC_TMPVAR_`
`2313`	`2311`	`call = NULL;`
`2314`	`2312`	`}`
`2315`	`2313`
	`2314`	`+ zval_ptr_dtor_nogc(free_op2);`
`2316`	`2315`	`if (UNEXPECTED(!call)) {`
`2317`	`2316`	`HANDLE_EXCEPTION();`
`2318`	`2317`	`}`
`2319`	`2318`
`2320`		`- zval_ptr_dtor_nogc(free_op2);`
`2321`	`2319`	`if ((IS_TMP_VAR\|IS_VAR) & (IS_VAR\|IS_TMP_VAR)) {`
`2322`	`2320`	`if (UNEXPECTED(EG(exception))) {`
`2323`	`2321`	`if (call) {`
`@@ -2329,8 +2327,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_DYNAMIC_CALL_SPEC_TMPVAR_`
`2329`	`2327`	`}`
`2330`	`2328`	`HANDLE_EXCEPTION();`
`2331`	`2329`	`}`
`2332`		`- } else if (UNEXPECTED(!call)) {`
`2333`		`- HANDLE_EXCEPTION();`
`2334`	`2330`	`}`
`2335`	`2331`
`2336`	`2332`	`call->prev_execute_data = EX(call);`
`@@ -2446,8 +2442,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_INIT_DYNAMIC_CALL_SPEC_CV_HAND`
`2446`	`2442`	`}`
`2447`	`2443`	`HANDLE_EXCEPTION();`
`2448`	`2444`	`}`
`2449`		`- } else if (UNEXPECTED(!call)) {`
`2450`		`- HANDLE_EXCEPTION();`
`2451`	`2445`	`}`
`2452`	`2446`
`2453`	`2447`	`call->prev_execute_data = EX(call);`