Fixed access to memory that is already freed (in case of __call() method)

Zend/zend_vm_def.h

@@ -1868,6 +1868,8 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY)
 		}
 	}
 	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION) {
+		unsigned char return_reference = EX(function_state).function->common.return_reference;
+
 		ALLOC_ZVAL(EX_T(opline->result.u.var).var.ptr);
 		INIT_ZVAL(*(EX_T(opline->result.u.var).var.ptr));
 
@@ -1903,7 +1905,7 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY)
 		if (!return_value_used) {
 			zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
 		} else {
-			EX_T(opline->result.u.var).var.fcall_returned_reference = EX(function_state).function->common.return_reference;
+			EX_T(opline->result.u.var).var.fcall_returned_reference = return_reference;
 		}
 	} else if (EX(function_state).function->type == ZEND_USER_FUNCTION) {
 		HashTable *calling_symbol_table;

Zend/zend_vm_execute.h

@@ -172,6 +172,8 @@ static int zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS)
 		}
 	}
 	if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION) {
+		unsigned char return_reference = EX(function_state).function->common.return_reference;
+
 		ALLOC_ZVAL(EX_T(opline->result.u.var).var.ptr);
 		INIT_ZVAL(*(EX_T(opline->result.u.var).var.ptr));
 
@@ -207,7 +209,7 @@ static int zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS)
 		if (!return_value_used) {
 			zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
 		} else {
-			EX_T(opline->result.u.var).var.fcall_returned_reference = EX(function_state).function->common.return_reference;
+			EX_T(opline->result.u.var).var.fcall_returned_reference = return_reference;
 		}
 	} else if (EX(function_state).function->type == ZEND_USER_FUNCTION) {
 		HashTable *calling_symbol_table;