MFH: initialize retval_ptr_ptr before returning FAILURE

this fixes invalid read in #41209

1 files changed, 2 insertions, 5 deletions

diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index f51289a94c..7ca181a179 100644
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -622,6 +622,8 @@ int zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache TS
 	char *fname, *colon;
 	int fname_len;
 
+	*fci->retval_ptr_ptr = NULL;
+
 	if (!EG(active)) {
 		return FAILURE; /* executor is already inactive */
 	}
@@ -652,11 +654,6 @@ int zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache TS
 		memset(&execute_data, 0, sizeof(zend_execute_data));
 	}
 
-	/* we may return SUCCESS, and yet retval may be uninitialized,
-	 * if there was an exception...
-	 */
-	*fci->retval_ptr_ptr = NULL;
-
 	if (!fci_cache || !fci_cache->initialized) {
 		if (Z_TYPE_P(fci->function_name)==IS_ARRAY) { /* assume array($obj, $name) couple */
 			zval **tmp_object_ptr, **tmp_real_function_name;