archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 13:38:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.3'

Browse source 
* PHP-8.3:
  Fix OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
This commit is contained in:
George Peter Banyard 2023-09-05 10:41:22 +01:00
commit 2d3bff38bb
7 changed files with 123 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

18
Zend/tests/in-de-crement/oss-fuzz-61865_binop_declared_property_unset_error_handler.phpt Normal file
View file

@ -0,0 +1,18 @@
--TEST--
OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
--FILE--
<?php
class C {
public $a;
function errorHandler($errno, $errstr) {
unset($this->a);
}
}
$c = new C;
set_error_handler([$c,'errorHandler']);
unset($c->a);
$c->a += 5;
var_dump($c->a);
?>
--EXPECT--
int(5)

20
Zend/tests/in-de-crement/oss-fuzz-61865_postdec_declared_property_unset_error_handler.phpt Normal file
View file

@ -0,0 +1,20 @@
--TEST--
OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
--FILE--
<?php
class C {
public $a;
function errorHandler($errno, $errstr) {
unset($this->a);
}
}
$c = new C;
set_error_handler([$c,'errorHandler']);
unset($c->a);
$v = ($c->a--);
var_dump($c->a);
var_dump($v);
?>
--EXPECT--
NULL
NULL

20
Zend/tests/in-de-crement/oss-fuzz-61865_postinc_declared_property_unset_error_handler.phpt Normal file
View file

@ -0,0 +1,20 @@
--TEST--
OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
--FILE--
<?php
class C {
public $a;
function errorHandler($errno, $errstr) {
unset($this->a);
}
}
$c = new C;
set_error_handler([$c,'errorHandler']);
unset($c->a);
$v = ($c->a++);
var_dump($c->a);
var_dump($v);
?>
--EXPECT--
int(1)
NULL

18
Zend/tests/in-de-crement/oss-fuzz-61865_predec_declared_property_unset_error_handler.phpt Normal file
View file

@ -0,0 +1,18 @@
--TEST--
OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
--FILE--
<?php
class C {
public $a;
function errorHandler($errno, $errstr) {
unset($this->a);
}
}
$c = new C;
set_error_handler([$c,'errorHandler']);
unset($c->a);
(--$c->a);
var_dump($c->a);
?>
--EXPECT--
NULL

18
Zend/tests/in-de-crement/oss-fuzz-61865_preinc_declared_property_unset_error_handler.phpt Normal file
View file

@ -0,0 +1,18 @@
--TEST--
OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
--FILE--
<?php
class C {
public $a;
function errorHandler($errno, $errstr) {
unset($this->a);
}
}
$c = new C;
set_error_handler([$c,'errorHandler']);
unset($c->a);
(++$c->a);
var_dump($c->a);
?>
--EXPECT--
int(1)

25
Zend/tests/in-de-crement/unset_property_converted_to_obj_in_error_handler.phpt Normal file
View file

@ -0,0 +1,25 @@
--TEST--
Unset declared property converted to object in error handler
--FILE--
<?php
class C {
public $a;
function errorHandler() {
$this->a = new stdClass();
}
}
$c = new C;
set_error_handler([$c,'errorHandler']);
unset($c->a);
try {
(++$c->a);
} catch (\TypeError $e) {
echo $e->getMessage(), PHP_EOL;
}
var_dump($c->a);
?>
--EXPECT--
Cannot increment stdClass
object(stdClass)#2 (0) {
}

5
Zend/zend_object_handlers.c
View file

@ -1117,8 +1117,11 @@ ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *zobj, zend_string *nam
ZSTR_VAL(name));
retval = &EG(error_zval);
} else {
ZVAL_NULL(retval);
zend_error(E_WARNING, "Undefined property: %s::$%s", ZSTR_VAL(zobj->ce->name), ZSTR_VAL(name));
/* An error handler may set the property */
if (EXPECTED(Z_TYPE_P(retval) == IS_UNDEF)) {
ZVAL_NULL(retval);
}
}
} else if (prop_info && UNEXPECTED(prop_info->flags & ZEND_ACC_READONLY)) {
/* Readonly property, delegate to read_property + write_property. */