Fix leak of call->extra_named_params on internal __call

Fixes GH-12835
Closes GH-12836

Author: iluuu1994

NEWS

@@ -10,6 +10,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-12758 / GH-12768 (Invalid opline in OOM handlers within
     ZEND_FUNC_GET_ARGS and ZEND_BIND_STATIC). (Florian Engelhardt)
   . Fix various missing NULL checks. (nielsdos, dstogov)
+  . Fixed bug GH-12835 (Leak of call->extra_named_params on internal __call).
+    (ilutov)
 
 - Date:
   . Fixed improbably integer overflow while parsing really large (or small)

Zend/zend_vm_def.h

@@ -8783,6 +8783,9 @@ ZEND_VM_HANDLER(158, ZEND_CALL_TRAMPOLINE, ANY, ANY, SPEC(OBSERVER))
 		EG(current_execute_data) = call->prev_execute_data;
 
 		zend_vm_stack_free_args(call);
+		if (UNEXPECTED(call_info & ZEND_CALL_HAS_EXTRA_NAMED_PARAMS)) {
+			zend_free_extra_named_params(call->extra_named_params);
+		}
 		if (ret == &retval) {
 			zval_ptr_dtor(ret);
 		}

Zend/zend_vm_execute.h

@@ -65,6 +65,7 @@ static zend_class_entry *zend_test_ns2_ns_foo_class;
 static zend_class_entry *zend_test_unit_enum;
 static zend_class_entry *zend_test_string_enum;
 static zend_class_entry *zend_test_int_enum;
+static zend_class_entry *zend_test_magic_call;
 static zend_object_handlers zend_test_class_handlers;
 
 static ZEND_FUNCTION(zend_test_func)
@@ -802,6 +803,24 @@ static ZEND_METHOD(ZendTestForbidDynamicCall, callStatic)
 	zend_forbid_dynamic_call();
 }
 
+static ZEND_METHOD(_ZendTestMagicCall, __call)
+{
+	zend_string *name;
+	zval *arguments;
+
+	ZEND_PARSE_PARAMETERS_START(2, 2)
+		Z_PARAM_STR(name)
+		Z_PARAM_ARRAY(arguments)
+	ZEND_PARSE_PARAMETERS_END();
+
+	zval name_zv;
+	ZVAL_STR(&name_zv, name);
+
+	zend_string_addref(name);
+	Z_TRY_ADDREF_P(arguments);
+	RETURN_ARR(zend_new_pair(&name_zv, arguments));
+}
+
 PHP_INI_BEGIN()
 	STD_PHP_INI_BOOLEAN("zend_test.replace_zend_execute_ex", "0", PHP_INI_SYSTEM, OnUpdateBool, replace_zend_execute_ex, zend_zend_test_globals, zend_test_globals)
 	STD_PHP_INI_BOOLEAN("zend_test.register_passes", "0", PHP_INI_SYSTEM, OnUpdateBool, register_passes, zend_zend_test_globals, zend_test_globals)
@@ -914,6 +933,8 @@ PHP_MINIT_FUNCTION(zend_test)
 	zend_test_string_enum = register_class_ZendTestStringEnum();
 	zend_test_int_enum = register_class_ZendTestIntEnum();
 
+	zend_test_magic_call = register_class__ZendTestMagicCall();
+
 	zend_register_functions(NULL, ext_function_legacy, NULL, EG(current_module)->type);
 
 	// Loading via dl() not supported with the observer API

ext/zend_test/test.c

@@ -47,6 +47,11 @@ public function returnsThrowable(): Throwable {}
         static public function variadicTest(string|Iterator ...$elements) : static {}
     }
 
+    class _ZendTestMagicCall
+    {
+        public function __call(string $name, array $args): mixed {}
+    }
+
     class _ZendTestChildClass extends _ZendTestClass
     {
         public function returnsThrowable(): Exception {}

ext/zend_test/test.stub.php

@@ -0,0 +1,23 @@
+--TEST--
+GH-12835: call->extra_named_params leaks on internal __call
+--EXTENSIONS--
+zend_test
+--FILE--
+<?php
+$obj = new _ZendTestMagicCall;
+var_dump($obj->test('a', 'b', c: 'c'));
+?>
+--EXPECT--
+array(2) {
+  [0]=>
+  string(4) "test"
+  [1]=>
+  array(3) {
+    [0]=>
+    string(1) "a"
+    [1]=>
+    string(1) "b"
+    ["c"]=>
+    string(1) "c"
+  }
+}