Fix circumvented type check with return by ref + finally

iluuu1994 · iluuu1994 · commit f9a58fc79cac · 2025-07-18T15:31:32.000+02:00
Fixes GH-18736
diff --git a/Zend/tests/gh18736.phpt b/Zend/tests/gh18736.phpt
@@ -0,0 +1,24 @@
+--TEST--
+GH-18736: Circumvented type check with return by ref + finally
+--FILE--
+<?php
+
+function &test(): int {
+    $x = 0;
+    try {
+        return $x;
+    } finally {
+        $x = 'test';
+    }
+}
+
+try {
+    $x = &test();
+    var_dump($x);
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+test(): Return value must be of type int, string returned
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
@@ -5703,6 +5703,15 @@ static void zend_compile_return(zend_ast *ast) /* {{{ */
 
 	zend_handle_loops_and_finally((expr_node.op_type & (IS_TMP_VAR | IS_VAR)) ? &expr_node : NULL);
 
+	/* Content of reference might have changed in finally, repeat type check. */
+	if (by_ref
+	 && !zend_stack_is_empty(&CG(loop_var_stack))
+	 && !is_generator
+	 && (CG(active_op_array)->fn_flags & ZEND_ACC_HAS_RETURN_TYPE)) {
+		zend_emit_return_type_check(
+			expr_ast ? &expr_node : NULL, CG(active_op_array)->arg_info - 1, 0);
+	}
+
 	opline = zend_emit_op(NULL, by_ref ? ZEND_RETURN_BY_REF : ZEND_RETURN,
 		&expr_node, NULL);
 
