Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3:
  Fix propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline

Author: iluuu1994

NEWS

@@ -19,6 +19,8 @@ PHP                                                                        NEWS
     (ilutov)
   . Fixed bug OSS-Fuzz #71407 (Null-dereference WRITE in
     zend_lazy_object_clone). (Arnaud)
+  . Fixed bug GH-16515 (Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for
+    call trampoline). (ilutov)
 
 - Curl:
   . Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if

Zend/tests/gh16515.phpt

@@ -0,0 +1,16 @@
+--TEST--
+GH-16515: Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline
+--FILE--
+<?php
+
+namespace Foo;
+
+class Foo {
+    public function &__call($method, $args) {}
+}
+
+call_user_func((new Foo)->bar(...));
+
+?>
+--EXPECTF--
+Notice: Only variable references should be returned by reference in %s on line %d

Zend/zend_closures.c

@@ -871,7 +871,7 @@ void zend_closure_from_frame(zval *return_value, zend_execute_data *call) { /* {
 
 		memset(&trampoline, 0, sizeof(zend_internal_function));
 		trampoline.type = ZEND_INTERNAL_FUNCTION;
-		trampoline.fn_flags = mptr->common.fn_flags & (ZEND_ACC_STATIC | ZEND_ACC_VARIADIC);
+		trampoline.fn_flags = mptr->common.fn_flags & (ZEND_ACC_STATIC | ZEND_ACC_VARIADIC | ZEND_ACC_RETURN_REFERENCE);
 		trampoline.handler = zend_closure_call_magic;
 		trampoline.function_name = mptr->common.function_name;
 		trampoline.scope = mptr->common.scope;

Zend/zend_object_handlers.c

@@ -1614,7 +1614,10 @@ ZEND_API zend_function *zend_get_call_trampoline_func(const zend_class_entry *ce
 	func->arg_flags[0] = 0;
 	func->arg_flags[1] = 0;
 	func->arg_flags[2] = 0;
-	func->fn_flags = ZEND_ACC_CALL_VIA_TRAMPOLINE | ZEND_ACC_PUBLIC | ZEND_ACC_VARIADIC;
+	func->fn_flags = ZEND_ACC_CALL_VIA_TRAMPOLINE
+		| ZEND_ACC_PUBLIC
+		| ZEND_ACC_VARIADIC
+		| (fbc->common.fn_flags & ZEND_ACC_RETURN_REFERENCE);
 	if (is_static) {
 		func->fn_flags |= ZEND_ACC_STATIC;
 	}