Fixed oss-fuzz #62294: Unsetting variable after ++/-- on string variable warning

Closes GH-12202
2025-08-15 13:38:49 +02:00 · 2023-09-13 15:15:15 +01:00 · 2023-09-13 15:15:15 +01:00 · 0b614a6c2b
commit 0b614a6c2b
parent 673babed24
4 changed files with 51 additions and 7 deletions
--- a/2
+++ b/2
@ -5,6 +5,8 @@ PHP                                                                        NEWS
 - Core:
  . Fixed bug GH-12189 (#[Override] attribute in trait does not check for
    parent class implementations). (timwolla)
  . Fixed OSS Fuzz #62294 (Unsetting variable after ++/-- on string variable
    warning). (Girgias)
 - Filter:
  . Fix explicit FILTER_REQUIRE_SCALAR with FILTER_CALLBACK (ilutov)
--- a/Zend/tests/in-de-crement/oss-fuzz-60709_globals_unset_after_undef_warning.phpt
+++ b/Zend/tests/in-de-crement/oss-fuzz-60709_globals_unset_after_undef_warning.phpt
@ -1,5 +1,5 @@
 --TEST--
-oss-fuzz #60709: Test
+oss-fuzz #60709: Unsetting variable after undefined variable warning in ++/--
 --FILE--
 <?php
 set_error_handler(function($_, $m) {
--- a/Zend/tests/in-de-crement/oss-fuzz-62294_globals_unset_after_string_warning.phpt
+++ b/Zend/tests/in-de-crement/oss-fuzz-62294_globals_unset_after_string_warning.phpt
@ -0,0 +1,38 @@
 --TEST--
 oss-fuzz #62294: Unsetting variable after ++/-- on string variable warning
 --FILE--
 <?php
 set_error_handler(function($_, $m) {
    echo "$m\n";
    unset($GLOBALS['x']);
 });
 $x=" ";
 echo "POST DEC\n";
 var_dump($x--);
 $x=" ";
 echo "PRE DEC\n";
 var_dump(--$x);
 $x=" ";
 echo "POST INC\n";
 var_dump($x++);
 $x=" ";
 echo "PRE INC\n";
 var_dump(++$x);
 ?>
 --EXPECT--
 POST DEC
 Decrement on non-numeric string has no effect and is deprecated
 string(1) " "
 PRE DEC
 Decrement on non-numeric string has no effect and is deprecated
 string(1) " "
 POST INC
 Increment on non-alphanumeric string is deprecated
 string(1) " "
 PRE INC
 Increment on non-alphanumeric string is deprecated
 string(1) " "
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@ -2528,13 +2528,10 @@ static bool ZEND_FASTCALL increment_string(zval *str) /* {{{ */
 	if (UNEXPECTED(!zend_string_only_has_ascii_alphanumeric(Z_STR_P(str)))) {
 		zend_string *zstr = Z_STR_P(str);
-		GC_TRY_ADDREF(zstr);
+		zend_string_addref(zstr);
 		zend_error(E_DEPRECATED, "Increment on non-alphanumeric string is deprecated");
 		if (EG(exception)) {
-			GC_TRY_DELREF(zstr);
+			zend_string_release(zstr);
 			if (!GC_REFCOUNT(zstr)) {
 				efree(zstr);
 			}
 			return false;
 		}
 		zval_ptr_dtor(str);
@ -2737,11 +2734,18 @@ try_again:
 					zval_ptr_dtor_str(op1);
 					ZVAL_DOUBLE(op1, dval - 1);
 					break;
-				default:
+				default: {
 					/* Error handler can unset the variable */
 					zend_string *zstr = Z_STR_P(op1);
 					zend_string_addref(zstr);
 					zend_error(E_DEPRECATED, "Decrement on non-numeric string has no effect and is deprecated");
 					if (EG(exception)) {
 						zend_string_release(zstr);
 						return FAILURE;
 					}
 					zval_ptr_dtor(op1);
 					ZVAL_STR(op1, zstr);
 				}
 			}
 			break;
 		case IS_NULL: {