Fix propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline

Fixes GH-16515
Closes GH-16529

Author: iluuu1994

NEWS

@@ -13,6 +13,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-16168 (php 8.1 and earlier crash immediately when compiled
     with Xcode 16 clang on macOS 15). (nielsdos)
   . Fixed bug GH-16371 (Assertion failure in Zend/zend_weakrefs.c:646). (Arnaud)
+  . Fixed bug GH-16515 (Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for
+    call trampoline). (ilutov)
 
 - Curl:
   . Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if

Zend/tests/gh16515.phpt

@@ -0,0 +1,16 @@
+--TEST--
+GH-16515: Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline
+--FILE--
+<?php
+
+namespace Foo;
+
+class Foo {
+    public function &__call($method, $args) {}
+}
+
+call_user_func((new Foo)->bar(...));
+
+?>
+--EXPECTF--
+Notice: Only variable references should be returned by reference in %s on line %d

Zend/zend_closures.c

@@ -845,7 +845,7 @@ void zend_closure_from_frame(zval *return_value, zend_execute_data *call) { /* {
 
 		memset(&trampoline, 0, sizeof(zend_internal_function));
 		trampoline.type = ZEND_INTERNAL_FUNCTION;
-		trampoline.fn_flags = mptr->common.fn_flags & ZEND_ACC_STATIC;
+		trampoline.fn_flags = mptr->common.fn_flags & (ZEND_ACC_STATIC|ZEND_ACC_RETURN_REFERENCE);
 		trampoline.handler = zend_closure_call_magic;
 		trampoline.function_name = mptr->common.function_name;
 		trampoline.scope = mptr->common.scope;

Zend/zend_object_handlers.c

@@ -1281,7 +1281,10 @@ ZEND_API zend_function *zend_get_call_trampoline_func(zend_class_entry *ce, zend
 	func->arg_flags[0] = 0;
 	func->arg_flags[1] = 0;
 	func->arg_flags[2] = 0;
-	func->fn_flags = ZEND_ACC_CALL_VIA_TRAMPOLINE | ZEND_ACC_PUBLIC | ZEND_ACC_VARIADIC;
+	func->fn_flags = ZEND_ACC_CALL_VIA_TRAMPOLINE
+		| ZEND_ACC_PUBLIC
+		| ZEND_ACC_VARIADIC
+		| (fbc->common.fn_flags & ZEND_ACC_RETURN_REFERENCE);
 	if (is_static) {
 		func->fn_flags |= ZEND_ACC_STATIC;
 	}