Merge branch 'PHP-7.4'

* PHP-7.4:
  Reset trampoline on executor startup
  Fix UAF in is_callable() and allocated trampoline

Zend/tests/is_callable_trampoline_uaf.phpt

@@ -0,0 +1,27 @@
+--TEST--
+is_callable() with trampoline should not caused UAF
+--FILE--
+<?php
+
+class B {}
+class A extends B {
+    public function bar($func) {
+        var_dump(is_callable(array('parent', 'foo')));
+    }
+
+    public function __call($func, $args) {
+    }
+}
+
+class X {
+    public static function __callStatic($func, $args) {
+    }
+}
+
+$a = new A();
+// Extra X::foo() wrapper to force use of allocated trampoline.
+X::foo($a->bar('foo'));
+
+?>
+--EXPECT--
+bool(false)

Zend/zend_API.c

@@ -2963,12 +2963,7 @@ get_function_via_handler:
 					if (strict_class &&
 					    (!fcc->function_handler->common.scope ||
 					     !instanceof_function(ce_org, fcc->function_handler->common.scope))) {
-						if (fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) {
+						zend_release_fcall_info_cache(fcc);
-							if (fcc->function_handler->common.function_name) {
-								zend_string_release_ex(fcc->function_handler->common.function_name, 0);
-							}
-							zend_free_trampoline(fcc->function_handler);
-						}
 					} else {
 						retval = 1;
 						call_via_handler = (fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) != 0;

Zend/zend_execute_API.c

@@ -173,6 +173,7 @@ void init_executor(void) /* {{{ */
 	EG(prev_exception) = NULL;
 
 	EG(fake_scope) = NULL;
+	EG(trampoline).common.function_name = NULL;
 
 	EG(ht_iterators_count) = sizeof(EG(ht_iterators_slots)) / sizeof(HashTableIterator);
 	EG(ht_iterators_used) = 0;