From 8720063c4eafff1180006052fb7962b5607c6dda Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Mon, 21 Oct 2024 14:59:36 +0200
Subject: [PATCH] Fix propagation of ZEND_ACC_RETURN_REFERENCE for call
 trampoline

Fixes GH-16515
Closes GH-16529
---
 NEWS                        |  2 ++
 Zend/tests/gh16515.phpt     | 16 ++++++++++++++++
 Zend/zend_closures.c        |  2 +-
 Zend/zend_object_handlers.c |  5 ++++-
 4 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 Zend/tests/gh16515.phpt

diff --git a/NEWS b/NEWS
index b437f80d6f4..38957adc4cb 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-16168 (php 8.1 and earlier crash immediately when compiled
     with Xcode 16 clang on macOS 15). (nielsdos)
   . Fixed bug GH-16371 (Assertion failure in Zend/zend_weakrefs.c:646). (Arnaud)
+  . Fixed bug GH-16515 (Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for
+    call trampoline). (ilutov)
 
 - Curl:
   . Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if
diff --git a/Zend/tests/gh16515.phpt b/Zend/tests/gh16515.phpt
new file mode 100644
index 00000000000..63bb447e7ba
--- /dev/null
+++ b/Zend/tests/gh16515.phpt
@@ -0,0 +1,16 @@
+--TEST--
+GH-16515: Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline
+--FILE--
+<?php
+
+namespace Foo;
+
+class Foo {
+    public function &__call($method, $args) {}
+}
+
+call_user_func((new Foo)->bar(...));
+
+?>
+--EXPECTF--
+Notice: Only variable references should be returned by reference in %s on line %d
diff --git a/Zend/zend_closures.c b/Zend/zend_closures.c
index bbd3b85e6fb..f261edb22bc 100644
--- a/Zend/zend_closures.c
+++ b/Zend/zend_closures.c
@@ -845,7 +845,7 @@ void zend_closure_from_frame(zval *return_value, zend_execute_data *call) { /* {
 
 		memset(&trampoline, 0, sizeof(zend_internal_function));
 		trampoline.type = ZEND_INTERNAL_FUNCTION;
-		trampoline.fn_flags = mptr->common.fn_flags & ZEND_ACC_STATIC;
+		trampoline.fn_flags = mptr->common.fn_flags & (ZEND_ACC_STATIC|ZEND_ACC_RETURN_REFERENCE);
 		trampoline.handler = zend_closure_call_magic;
 		trampoline.function_name = mptr->common.function_name;
 		trampoline.scope = mptr->common.scope;
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index def9695ed98..3446fb2c964 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -1281,7 +1281,10 @@ ZEND_API zend_function *zend_get_call_trampoline_func(zend_class_entry *ce, zend
 	func->arg_flags[0] = 0;
 	func->arg_flags[1] = 0;
 	func->arg_flags[2] = 0;
-	func->fn_flags = ZEND_ACC_CALL_VIA_TRAMPOLINE | ZEND_ACC_PUBLIC | ZEND_ACC_VARIADIC;
+	func->fn_flags = ZEND_ACC_CALL_VIA_TRAMPOLINE
+		| ZEND_ACC_PUBLIC
+		| ZEND_ACC_VARIADIC
+		| (fbc->common.fn_flags & ZEND_ACC_RETURN_REFERENCE);
 	if (is_static) {
 		func->fn_flags |= ZEND_ACC_STATIC;
 	}