Merge branch 'PHP-5.3' into PHP-5.4

3 files changed, 34 insertions, 0 deletions

diff --git a/Zend/tests/bug64966.phpt b/Zend/tests/bug64966.phpt
new file mode 100644
index 0000000000..27fec3b72a
--- /dev/null
+++ b/Zend/tests/bug64966.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #64966 (segfault in zend_do_fcall_common_helper_SPEC)
+--FILE--
+<?php
+error_reporting(E_ALL);
+set_error_handler(function($error) { throw new Exception(); }, E_RECOVERABLE_ERROR);
+
+function test($func) {
+	$a = $func("");
+	return true;
+}
+class A {
+	public function b() {
+		test("strlen");
+		test("iterator_apply");
+	}
+}
+
+$a = new A();
+$a->b();
+?>
+--EXPECTF--
+Fatal error: Uncaught exception 'Exception' in %sbug64966.php:3
+Stack trace:
+#0 [internal function]: {closure}(4096, 'Argument 1 pass...', '/home/huixinche...', 6, Array)
+#1 %sbug64966.php(6): iterator_apply('')
+#2 %sbug64966.php(12): test('iterator_apply')
+#3 %sbug64966.php(17): A->b()
+#4 {main}
+  thrown in %sbug64966.php on line 3
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index eed65e3e27..40e2e42e7d 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -2684,6 +2684,8 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY)
 			if (!RETURN_VALUE_USED(opline)) {
 				zval_ptr_dtor(&ret->var.ptr);
 			}
+		} else if (RETURN_VALUE_USED(opline)) {
+			EX_T(opline->result.u.var).var.ptr = NULL;
 		}
 	} else if (fbc->type == ZEND_USER_FUNCTION) {
 		EX(original_return_value) = EG(return_value_ptr_ptr);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 18b3f4772c..ad6d708381 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -648,6 +648,8 @@ static int ZEND_FASTCALL zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_AR
 			if (!RETURN_VALUE_USED(opline)) {
 				zval_ptr_dtor(&ret->var.ptr);
 			}
+		} else if (RETURN_VALUE_USED(opline)) {
+			EX_T(opline->result.u.var).var.ptr = NULL;
 		}
 	} else if (fbc->type == ZEND_USER_FUNCTION) {
 		EX(original_return_value) = EG(return_value_ptr_ptr);