From 4aac98f1456069b69ffd701dadb31be014a8e90c Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 2 Jul 2025 20:29:35 +0200
Subject: [PATCH] Fix OSS-Fuzz #428983568 and #428760800

Both these issues have the same root cause, their reproducer is
extremely similar so I don't duplicate the test.

If the parser invokes the lexer, and the lexer fails, it could've
allocated a string which must be freed when the parser backs up.
The `%destructor` list is responsible for this but did not have an entry
for `fallback` yet. Solve the issue by adding such an entry.

Closes GH-19012.
---
 NEWS                                        |  1 +
 Zend/tests/zend_ini/oss_fuzz_428983568.phpt | 14 ++++++++++++++
 Zend/zend_ini_parser.y                      |  2 +-
 3 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/zend_ini/oss_fuzz_428983568.phpt

diff --git a/NEWS b/NEWS
index 814c4692f3d..11b5146bc33 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,7 @@ PHP                                                                        NEWS
   . Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction
     order). (Daniil Gentili)
   . Fix OSS-Fuzz #427814456. (nielsdos)
+  . Fix OSS-Fuzz #428983568 and #428760800. (nielsdos)
 
 - Curl:
   . Fix memory leaks when returning refcounted value from curl callback.
diff --git a/Zend/tests/zend_ini/oss_fuzz_428983568.phpt b/Zend/tests/zend_ini/oss_fuzz_428983568.phpt
new file mode 100644
index 00000000000..80310fbd928
--- /dev/null
+++ b/Zend/tests/zend_ini/oss_fuzz_428983568.phpt
@@ -0,0 +1,14 @@
+--TEST--
+OSS-Fuzz #428983568
+--FILE--
+<?php
+$ini = <<<INI
+[\${zz:-x
+
+INI;
+var_dump(parse_ini_string($ini));
+?>
+--EXPECTF--
+Warning: syntax error, unexpected end of file, expecting '}' in Unknown on line 1
+ in %s on line %d
+bool(false)
diff --git a/Zend/zend_ini_parser.y b/Zend/zend_ini_parser.y
index 352f2eb3eec..370493d54e1 100644
--- a/Zend/zend_ini_parser.y
+++ b/Zend/zend_ini_parser.y
@@ -353,7 +353,7 @@ static void normalize_value(zval *zv)
 %left '|' '&' '^'
 %precedence '~' '!'
 
-%destructor { zval_ini_dtor(&$$); } TC_RAW TC_CONSTANT TC_NUMBER TC_STRING TC_WHITESPACE TC_LABEL TC_OFFSET TC_VARNAME BOOL_TRUE BOOL_FALSE NULL_NULL cfg_var_ref constant_literal constant_string encapsed_list expr option_offset section_string_or_value string_or_value var_string_list var_string_list_section
+%destructor { zval_ini_dtor(&$$); } TC_RAW TC_CONSTANT TC_NUMBER TC_STRING TC_WHITESPACE TC_LABEL TC_OFFSET TC_VARNAME BOOL_TRUE BOOL_FALSE NULL_NULL cfg_var_ref constant_literal constant_string encapsed_list expr fallback option_offset section_string_or_value string_or_value var_string_list var_string_list_section
 
 %%