Don't leak extra args for internal functions

nikic · nikic · commit 584949d16cb4 · 2020-07-03T14:50:15.000+02:00
diff --git a/Zend/tests/named_params/internal_variadics.phpt b/Zend/tests/named_params/internal_variadics.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Named params on internal functions: Variadic functions
+--FILE--
+<?php
+
+array_merge([1, 2], a: [3, 4]);
+
+?>
+--EXPECT--
+
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -3874,6 +3874,7 @@ ZEND_VM_HOT_HANDLER(129, ZEND_DO_ICALL, ANY, ANY, SPEC(RETVAL))
 	ret = RETURN_VALUE_USED(opline) ? EX_VAR(opline->result.var) : &retval;
 	ZVAL_NULL(ret);
 
+	/* TODO: Don't use the ICALL specialization if named params are used? */
 	if (UNEXPECTED(ZEND_CALL_INFO(call) & ZEND_CALL_MAY_HAVE_UNDEF)) {
 		if (zend_handle_icall_undef_args(call) == FAILURE) {
 			ZEND_VM_C_GOTO(do_icall_cleanup);
@@ -3897,6 +3898,9 @@ ZEND_VM_HOT_HANDLER(129, ZEND_DO_ICALL, ANY, ANY, SPEC(RETVAL))
 ZEND_VM_C_LABEL(do_icall_cleanup):
 	EG(current_execute_data) = execute_data;
 	zend_vm_stack_free_args(call);
+	if (UNEXPECTED(ZEND_CALL_INFO(call) & ZEND_CALL_HAS_EXTRA_NAMED_PARAMS)) {
+		zend_array_destroy(call->extra_named_params);
+	}
 	zend_vm_stack_free_call_frame(call);
 
 	if (!RETURN_VALUE_USED(opline)) {
@@ -4008,6 +4012,9 @@ ZEND_VM_HOT_HANDLER(131, ZEND_DO_FCALL_BY_NAME, ANY, ANY, SPEC(RETVAL))
 
 ZEND_VM_C_LABEL(fcall_by_name_end):
 		zend_vm_stack_free_args(call);
+		if (UNEXPECTED(ZEND_CALL_INFO(call) & ZEND_CALL_HAS_EXTRA_NAMED_PARAMS)) {
+			zend_array_destroy(call->extra_named_params);
+		}
 		zend_vm_stack_free_call_frame(call);
 
 		if (!RETURN_VALUE_USED(opline)) {
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
@@ -1237,6 +1237,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_DO_ICALL_SPEC_RETV
 	ret = 0 ? EX_VAR(opline->result.var) : &retval;
 	ZVAL_NULL(ret);
 
+	/* TODO: Don't use the ICALL specialization if named params are used? */
 	if (UNEXPECTED(ZEND_CALL_INFO(call) & ZEND_CALL_MAY_HAVE_UNDEF)) {
 		if (zend_handle_icall_undef_args(call) == FAILURE) {
 			goto do_icall_cleanup;
@@ -1260,6 +1261,9 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_DO_ICALL_SPEC_RETV
 do_icall_cleanup:
 	EG(current_execute_data) = execute_data;
 	zend_vm_stack_free_args(call);
+	if (UNEXPECTED(ZEND_CALL_INFO(call) & ZEND_CALL_HAS_EXTRA_NAMED_PARAMS)) {
+		zend_array_destroy(call->extra_named_params);
+	}
 	zend_vm_stack_free_call_frame(call);
 
 	if (!0) {
@@ -1296,6 +1300,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_DO_ICALL_SPEC_RETV
 	ret = 1 ? EX_VAR(opline->result.var) : &retval;
 	ZVAL_NULL(ret);
 
+	/* TODO: Don't use the ICALL specialization if named params are used? */
 	if (UNEXPECTED(ZEND_CALL_INFO(call) & ZEND_CALL_MAY_HAVE_UNDEF)) {
 		if (zend_handle_icall_undef_args(call) == FAILURE) {
 			goto do_icall_cleanup;
@@ -1319,6 +1324,9 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_DO_ICALL_SPEC_RETV
 do_icall_cleanup:
 	EG(current_execute_data) = execute_data;
 	zend_vm_stack_free_args(call);
+	if (UNEXPECTED(ZEND_CALL_INFO(call) & ZEND_CALL_HAS_EXTRA_NAMED_PARAMS)) {
+		zend_array_destroy(call->extra_named_params);
+	}
 	zend_vm_stack_free_call_frame(call);
 
 	if (!1) {
@@ -1453,6 +1461,9 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_DO_FCALL_BY_NAME_S
 
 fcall_by_name_end:
 		zend_vm_stack_free_args(call);
+		if (UNEXPECTED(ZEND_CALL_INFO(call) & ZEND_CALL_HAS_EXTRA_NAMED_PARAMS)) {
+			zend_array_destroy(call->extra_named_params);
+		}
 		zend_vm_stack_free_call_frame(call);
 
 		if (!0) {
@@ -1541,6 +1552,9 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_DO_FCALL_BY_NAME_S
 
 fcall_by_name_end:
 		zend_vm_stack_free_args(call);
+		if (UNEXPECTED(ZEND_CALL_INFO(call) & ZEND_CALL_HAS_EXTRA_NAMED_PARAMS)) {
+			zend_array_destroy(call->extra_named_params);
+		}
 		zend_vm_stack_free_call_frame(call);
 
 		if (!1) {
@@ -2572,7 +2586,6 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_dispatch_try
 {
 	/* May be NULL during generator closing (only finally blocks are executed) */
 	zend_object *ex = EG(exception);
-	zend_bool is_unwind_exit = ex && zend_is_unwind_exit(ex);
 
 	/* Walk try/catch/finally structures upwards, performing the necessary actions */
 	for (; try_catch_offset != (uint32_t) -1; try_catch_offset--) {
@@ -2585,7 +2598,7 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_dispatch_try
 			ZEND_VM_JMP_EX(&EX(func)->op_array.opcodes[try_catch->catch_op], 0);
 
 		} else if (op_num < try_catch->finally_op) {
-			if (is_unwind_exit) {
+			if (ex && zend_is_unwind_exit(ex)) {
 				/* Don't execute finally blocks on exit (for now) */
 				continue;
 			}
