Fix UAF in is_callable() and allocated trampoline

By nulling out the function_handler, so it will not get used
below. Reuse the existing helper for this purpose.

Author: nikic

Zend/tests/is_callable_trampoline_uaf.phpt

@@ -0,0 +1,27 @@
+--TEST--
+is_callable() with trampoline should not caused UAF
+--FILE--
+<?php
+
+class B {}
+class A extends B {
+    public function bar($func) {
+        var_dump(is_callable(array('parent', 'foo')));
+    }
+
+    public function __call($func, $args) {
+    }
+}
+
+class X {
+    public static function __callStatic($func, $args) {
+    }
+}
+
+$a = new A();
+// Extra X::foo() wrapper to force use of allocated trampoline.
+X::foo($a->bar('foo'));
+
+?>
+--EXPECT--
+bool(false)

Zend/zend_API.c

@@ -3154,13 +3154,7 @@ static zend_always_inline int zend_is_callable_check_func(int check_flags, zval
 					if (strict_class &&
 					    (!fcc->function_handler->common.scope ||
 					     !instanceof_function(ce_org, fcc->function_handler->common.scope))) {
-						if (fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) {
-							if (fcc->function_handler->type != ZEND_OVERLOADED_FUNCTION &&
-								fcc->function_handler->common.function_name) {
-								zend_string_release_ex(fcc->function_handler->common.function_name, 0);
-							}
-							zend_free_trampoline(fcc->function_handler);
-						}
+						zend_release_fcall_info_cache(fcc);
 					} else {
 						retval = 1;
 						call_via_handler = (fcc->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) != 0;