From b965f158aca1babc4d68f25f10129e237af9992f Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 18 Dec 2019 10:24:02 +0100
Subject: [PATCH] Fix use-after-free when trying to write to closure property

---
 Zend/tests/closure_write_prop.phpt | 22 ++++++++++++++++++++++
 Zend/zend_closures.c               |  2 +-
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/closure_write_prop.phpt

diff --git a/Zend/tests/closure_write_prop.phpt b/Zend/tests/closure_write_prop.phpt
new file mode 100644
index 00000000000..38bebf4e1b7
--- /dev/null
+++ b/Zend/tests/closure_write_prop.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Cannot write to closure properties
+--FILE--
+<?php
+
+class A {
+    function getFn() {
+        return function() {
+        };
+    }
+}
+
+$a = new A;
+try {
+    $c = $a->getFn()->b = new stdClass;
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Closure object cannot have properties
diff --git a/Zend/zend_closures.c b/Zend/zend_closures.c
index 697fd69fd63..92f1398d840 100644
--- a/Zend/zend_closures.c
+++ b/Zend/zend_closures.c
@@ -435,7 +435,7 @@ static ZEND_COLD zval *zend_closure_read_property(zval *object, zval *member, in
 static ZEND_COLD zval *zend_closure_write_property(zval *object, zval *member, zval *value, void **cache_slot) /* {{{ */
 {
 	ZEND_CLOSURE_PROPERTY_ERROR();
-	return value;
+	return &EG(error_zval);
 }
 /* }}} */