Fixed bug #81208

The number of populated positional arguments is argc. i may also
include named args and thus try to dtor uninitialized zvals.

Author: nikic

NEWS

@@ -22,6 +22,10 @@ PHP                                                                        NEWS
 - PCRE:
   . Fixed bug #81101 (PCRE2 10.37 shows unexpected result). (Anatol)
 
+- Reflection:
+  . Fixed bug #81208 (Segmentation fault while create newInstance from
+    attribute). (Nikita)
+
 17 Jun 2021, PHP 8.0.8
 
 - Core:

ext/reflection/php_reflection.c

@@ -6435,7 +6435,7 @@ ZEND_METHOD(ReflectionAttribute, newInstance)
 		for (uint32_t i = 0; i < attr->data->argc; i++) {
 			zval val;
 			if (FAILURE == zend_get_attribute_value(&val, attr->data, i, attr->scope)) {
-				attribute_ctor_cleanup(&obj, args, i, named_params);
+				attribute_ctor_cleanup(&obj, args, argc, named_params);
 				RETURN_THROWS();
 			}
 			if (attr->data->args[i].name) {

ext/reflection/tests/bug81208.phpt

@@ -0,0 +1,28 @@
+--TEST--
+Bug #81208: Segmentation fault while create newInstance from attribute
+--FILE--
+<?php
+
+#[Attribute(Attribute::TARGET_PROPERTY)]
+class MyAnnotation
+{
+    public function __construct(public bool $nullable = false) {}
+}
+
+class MyClass {
+    #[MyAnnotation(name: "my_name", type: "integer", nullable: asdasdasd)]
+    public $property;
+}
+
+$z = new ReflectionClass(MyClass::class);
+foreach ($z->getProperty("property")->getAttributes() as $attribute) {
+    try {
+        $attribute->newInstance();
+    } catch (Error $e) {
+        echo $e->getMessage(), "\n";
+    }
+}
+
+?>
+--EXPECT--
+Undefined constant "asdasdasd"