Fixed #75220 - Segfault when calling is_callable on parent

Author: andrewnester

NEWS

@@ -8,6 +8,8 @@ PHP                                                                        NEWS
   . Fixed bug #75236 (infinite loop when printing an error-message). (Andrea)
   . Fixed bug #75252 (Incorrect token formatting on two parse errors in one
     request). (Nikita)
+  . Fixed bug #75220 (Segfault when calling is_callable on parent). 
+    (andrewnester)
 
 - SPL:
   . Fixed bug #73629 (SplDoublyLinkedList::setIteratorMode masks intern flags).

Zend/zend_API.c

@@ -3067,7 +3067,8 @@ static int zend_is_callable_check_func(int check_flags, zval *callable, zend_fca
 					    (!fcc->function_handler->common.scope ||
 					     !instanceof_function(ce_org, fcc->function_handler->common.scope))) {
 						if (fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) {
-							if (fcc->function_handler->type != ZEND_OVERLOADED_FUNCTION) {
+							if (fcc->function_handler->type != ZEND_OVERLOADED_FUNCTION && 
+								fcc->function_handler->common.function_name) {
 								zend_string_release(fcc->function_handler->common.function_name);
 							}
 							zend_free_trampoline(fcc->function_handler);
@@ -3237,7 +3238,8 @@ ZEND_API zend_bool zend_is_callable_ex(zval *callable, zend_object *object, uint
 				((fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) ||
 			     fcc->function_handler->type == ZEND_OVERLOADED_FUNCTION_TEMPORARY ||
 			     fcc->function_handler->type == ZEND_OVERLOADED_FUNCTION)) {
-				if (fcc->function_handler->type != ZEND_OVERLOADED_FUNCTION) {
+				if (fcc->function_handler->type != ZEND_OVERLOADED_FUNCTION && 
+					fcc->function_handler->common.function_name) {
 					zend_string_release(fcc->function_handler->common.function_name);
 				}
 				zend_free_trampoline(fcc->function_handler);
@@ -3324,7 +3326,8 @@ ZEND_API zend_bool zend_is_callable_ex(zval *callable, zend_object *object, uint
 						((fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) ||
 					     fcc->function_handler->type == ZEND_OVERLOADED_FUNCTION_TEMPORARY ||
 					     fcc->function_handler->type == ZEND_OVERLOADED_FUNCTION)) {
-						if (fcc->function_handler->type != ZEND_OVERLOADED_FUNCTION) {
+						if (fcc->function_handler->type != ZEND_OVERLOADED_FUNCTION && 
+							fcc->function_handler->common.function_name) {
 							zend_string_release(fcc->function_handler->common.function_name);
 						}
 						zend_free_trampoline(fcc->function_handler);

ext/standard/tests/bug75220.phpt

@@ -0,0 +1,28 @@
+--TEST--
+Bug #75220 (is_callable crash for 'parent')
+--FILE--
+<?php
+
+$a = new A();
+$a->bar('foo');
+
+class B {};
+class A extends B
+{
+	function bar($func)
+	{
+		var_dump('foo');
+		var_dump(is_callable('parent::foo'));
+		var_dump(is_callable(array('parent', 'foo')));
+	}
+	
+	function __call($func, $args)
+	{
+	}
+};
+
+?>
+--EXPECT--
+string(3) "foo"
+bool(false)
+bool(false)