Fix GH-21362: ReflectionMethod::invoke/invokeArgs() rejects different Closure instances

iliaal · iliaal · commit 1581e117f402 · 2026-03-06T17:21:00.000-05:00
ReflectionMethod::invokeArgs() (and invoke()) for Closure::__invoke() incorrectly accepted any Closure object, not just the one the ReflectionMethod was created from. This happened because all Closures share a single zend_ce_closure class entry, so the instanceof_function() check always passed. Fix: store the original Closure object in intern->obj during ReflectionMethod construction, then compare object identity in reflection_method_invoke() to reject different Closure instances. Closes GH-21362
diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
@@ -3306,7 +3306,9 @@ static void instantiate_reflection_method(INTERNAL_FUNCTION_PARAMETERS, bool is_
 		&& memcmp(lcname, ZEND_INVOKE_FUNC_NAME, sizeof(ZEND_INVOKE_FUNC_NAME)-1) == 0
 		&& (mptr = zend_get_closure_invoke_method(orig_obj)) != NULL)
 	{
-		/* do nothing, mptr already set */
+		/* Store the original closure object so we can validate it in invoke/invokeArgs.
+		 * Each closure has a unique __invoke signature, so we must reject different closures. */
+		ZVAL_OBJ_COPY(&intern->obj, orig_obj);
 	} else if ((mptr = zend_hash_str_find_ptr(&ce->function_table, lcname, method_name_len)) == NULL) {
 		efree(lcname);
 		zend_throw_exception_ex(reflection_exception_ptr, 0,
@@ -3441,6 +3443,17 @@ static void reflection_method_invoke(INTERNAL_FUNCTION_PARAMETERS, int variadic)
 			_DO_THROW("Given object is not an instance of the class this method was declared in");
 			RETURN_THROWS();
 		}
+
+		/* For Closure::__invoke(), each closure instance has its own signature.
+		 * Verify that the passed object is the same closure this method was reflected from. */
+		if (obj_ce == zend_ce_closure && !Z_ISUNDEF(intern->obj)
+				&& Z_OBJ_P(object) != Z_OBJ(intern->obj)) {
+			if (!variadic) {
+				efree(params);
+			}
+			_DO_THROW("Given object is not an instance of the class this method was declared in");
+			RETURN_THROWS();
+		}
 	}
 	/* Copy the zend_function when calling via handler (e.g. Closure::__invoke()) */
 	callback = _copy_function(mptr);
diff --git a/ext/reflection/tests/gh21362.phpt b/ext/reflection/tests/gh21362.phpt
@@ -0,0 +1,38 @@
+--TEST--
+GH-21362 (ReflectionMethod::invokeArgs() for Closure::__invoke() accepts objects from different Closures)
+--FILE--
+<?php
+
+$c1 = function ($foo, $bar) {
+    echo "c1: foo={$foo}, bar={$bar}\n";
+};
+
+$c2 = function ($bar, $foo) {
+    echo "c2: foo={$foo}, bar={$bar}\n";
+};
+
+$m = new ReflectionMethod($c1, '__invoke');
+
+// invokeArgs with the correct Closure should work
+$m->invokeArgs($c1, ['foo' => 'FOO', 'bar' => 'BAR']);
+
+// invokeArgs with a different Closure should throw
+try {
+    $m->invokeArgs($c2, ['foo' => 'FOO', 'bar' => 'BAR']);
+    echo "No exception thrown\n";
+} catch (ReflectionException $e) {
+    echo $e->getMessage() . "\n";
+}
+
+// invoke with a different Closure should also throw
+try {
+    $m->invoke($c2, 'FOO', 'BAR');
+    echo "No exception thrown\n";
+} catch (ReflectionException $e) {
+    echo $e->getMessage() . "\n";
+}
+?>
+--EXPECT--
+c1: foo=FOO, bar=BAR
+Given object is not an instance of the class this method was declared in
+Given object is not an instance of the class this method was declared in
