Fixed bug #69212

Author: nikic

NEWS

@@ -8,6 +8,8 @@ PHP                                                                        NEWS
   . Fixed bug #67626 (User exceptions not properly handled in streams). 
     (Julian)
   . Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai)
+  . Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in
+    __call/... arg passing). (Nikita)
 
 - Filter:
   . Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other

Zend/tests/bug69212.phpt

@@ -0,0 +1,27 @@
+--TEST--
+Bug #69212: Leaking VIA_HANDLER func when exception thrown in __call/... arg passing
+--FILE--
+<?php
+
+class Test {
+    public static function __callStatic($method, $args) {}
+    public function __call($method, $args) {}
+}
+
+function do_throw() { throw new Exception; }
+
+try {
+    Test::foo(do_throw());
+} catch (Exception $e) {
+    echo "Caught!\n";
+}
+try {
+    (new Test)->bar(do_throw());
+} catch (Exception $e) {
+    echo "Caught!\n";
+}
+
+?>
+--EXPECT--
+Caught!
+Caught!

Zend/zend_vm_def.h

@@ -5042,6 +5042,10 @@ ZEND_VM_HANDLER(149, ZEND_HANDLE_EXCEPTION, ANY, ANY)
 				}
 				zval_ptr_dtor(&call->object);
 			}
+			if (call->fbc->common.fn_flags & ZEND_ACC_CALL_VIA_HANDLER) {
+				efree((char *) call->fbc->common.function_name);
+				efree(call->fbc);
+			}
 			call--;
 		} while (call >= EX(call_slots));
 		EX(call) = NULL;

Zend/zend_vm_execute.h

@@ -1022,6 +1022,10 @@ static int ZEND_FASTCALL  ZEND_HANDLE_EXCEPTION_SPEC_HANDLER(ZEND_OPCODE_HANDLER
 				}
 				zval_ptr_dtor(&call->object);
 			}
+			if (call->fbc->common.fn_flags & ZEND_ACC_CALL_VIA_HANDLER) {
+				efree((char *) call->fbc->common.function_name);
+				efree(call->fbc);
+			}
 			call--;
 		} while (call >= EX(call_slots));
 		EX(call) = NULL;