Fix a corruption bug, when erroneously allowing to send non-variables by reference (several

bug-db reports seem to originate in this bug)

Zend/zend_compile.c

@@ -942,20 +942,19 @@ void do_pass_param(znode *param, int op, int offset CLS_DC)
 		arg_types = NULL;
 	}
 
-	if (op == ZEND_SEND_VAL) {
+	if (op==ZEND_SEND_VAL) {
 		switch (param->op_type) {
 			case IS_CONST:	/* constants behave like variables when passed to functions,
 							 * as far as reference counting is concerned.  Treat them
 							 * as if they were variables here.
 							 */
 			case IS_VAR:
-				op = ZEND_SEND_VAR;
+				op = ZEND_SEND_VAR_NO_REF;
 				break;
 		}
 	}
-
-
-	if (ARG_SHOULD_BE_SENT_BY_REF(offset, 1, arg_types)) {
+	if (op!=ZEND_SEND_VAR_NO_REF
+		&& ARG_SHOULD_BE_SENT_BY_REF(offset, 1, arg_types)) {
 		/* change to passing by reference */
 		switch (param->op_type) {
 			case IS_VAR:
@@ -969,6 +968,7 @@ void do_pass_param(znode *param, int op, int offset CLS_DC)
 
 	if (original_op==ZEND_SEND_VAR) {
 		switch(op) {
+			case ZEND_SEND_VAR_NO_REF:
 			case ZEND_SEND_VAR:
 				if (function_ptr) {
 					do_end_variable_parse(BP_VAR_R, 0 CLS_CC);

Zend/zend_compile.h

@@ -537,6 +537,8 @@ int zendlex(znode *zendlval CLS_DC);
 
 #define ZEND_TICKS					105
 
+#define ZEND_SEND_VAR_NO_REF		106
+
 /* end of block */
 
 

Zend/zend_execute.c

@@ -1651,9 +1651,13 @@ do_fcall_common:
 				}
 				NEXT_OPCODE();
 			case ZEND_SEND_VAR:
+			case ZEND_SEND_VAR_NO_REF:
 				if (opline->extended_value==ZEND_DO_FCALL_BY_NAME
 					&& ARG_SHOULD_BE_SENT_BY_REF(opline->op2.u.opline_num, fbc, fbc->common.arg_types)) {
-						goto send_by_ref;
+					if (opline->opcode==ZEND_SEND_VAR_NO_REF) {
+						zend_error(E_ERROR, "Only variables can be passed by reference");
+					}
+					goto send_by_ref;
 				}
 				{
 					zval *varptr;