From 46a49be6c866103ebcb95e03b2b96460bec16b7b Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 3 Sep 2020 17:10:34 +0200
Subject: Fixed bug #80049

Type checking may convert to refcounted values, so force freeing
of extra args.
---
 Zend/zend_vm_execute.h | 1 +
 1 file changed, 1 insertion(+)

(limited to 'Zend/zend_vm_execute.h')

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 9d7515e9d0..e5e5a9e1da 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -2375,6 +2375,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_RECV_VARIADIC_SPEC_UNUSED_HAND
 		ZEND_HASH_FILL_PACKED(Z_ARRVAL_P(params)) {
 			param = EX_VAR_NUM(EX(func)->op_array.last_var + EX(func)->op_array.T);
 			if (UNEXPECTED((EX(func)->op_array.fn_flags & ZEND_ACC_HAS_TYPE_HINTS) != 0)) {
+				ZEND_ADD_CALL_FLAG(execute_data, ZEND_CALL_FREE_EXTRA_ARGS);
 				do {
 					zend_verify_arg_type(EX(func), arg_num, param, NULL, CACHE_ADDR(opline->op2.num));
 					if (Z_OPT_REFCOUNTED_P(param)) Z_ADDREF_P(param);
-- 
cgit v1.2.1