Merge branch 'PHP-8.4'

iluuu1994 · iluuu1994 · commit a262419398f8 · 2025-08-01T00:36:38.000+02:00
* PHP-8.4:
  Fix circumvented type check with return by ref + finally
diff --git a/Zend/tests/gh18736.phpt b/Zend/tests/gh18736.phpt
@@ -0,0 +1,24 @@
+--TEST--
+GH-18736: Circumvented type check with return by ref + finally
+--FILE--
+<?php
+
+function &test(): int {
+    $x = 0;
+    try {
+        return $x;
+    } finally {
+        $x = 'test';
+    }
+}
+
+try {
+    $x = &test();
+    var_dump($x);
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+test(): Return value must be of type int, string returned
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
@@ -5699,8 +5699,20 @@ static void zend_compile_return(zend_ast *ast) /* {{{ */
 			expr_ast ? &expr_node : NULL, CG(active_op_array)->arg_info - 1, 0);
 	}
 
+	uint32_t opnum_before_finally = get_next_op_number();
+
 	zend_handle_loops_and_finally((expr_node.op_type & (IS_TMP_VAR | IS_VAR)) ? &expr_node : NULL);
 
+	/* Content of reference might have changed in finally, repeat type check. */
+	if (by_ref
+	 /* Check if any opcodes were emitted since the last return type check. */
+	 && opnum_before_finally != get_next_op_number()
+	 && !is_generator
+	 && (CG(active_op_array)->fn_flags & ZEND_ACC_HAS_RETURN_TYPE)) {
+		zend_emit_return_type_check(
+			expr_ast ? &expr_node : NULL, CG(active_op_array)->arg_info - 1, 0);
+	}
+
 	opline = zend_emit_op(NULL, by_ref ? ZEND_RETURN_BY_REF : ZEND_RETURN,
 		&expr_node, NULL);
 
