From e304468e57692d4dfcf283346dd67c3e418e1934 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 12 Oct 2020 11:03:39 +0200
Subject: [PATCH 1/2] Deindirect source elements in zend_hash_merge

If the RHS has INDIRECT elements, we do not those to be added to
the LHS verbatim. As we're using UPDATE_INDIRECT, we might even
create a nested INDIRECT that way.

This is a side-quest of oss-fuzz #26245.
---
 Zend/tests/array_add_indirect.phpt | 16 ++++++++++++++++
 Zend/zend_hash.c                   | 30 +++++++++++++++++-------------
 2 files changed, 33 insertions(+), 13 deletions(-)
 create mode 100644 Zend/tests/array_add_indirect.phpt

diff --git a/Zend/tests/array_add_indirect.phpt b/Zend/tests/array_add_indirect.phpt
new file mode 100644
index 00000000000..821cc475b94
--- /dev/null
+++ b/Zend/tests/array_add_indirect.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Array addition should not add INDIRECT elements
+--FILE--
+<?php
+
+$x = 1;
+$ary = ['y' => 1];
+$ary += $GLOBALS;
+var_dump($ary['x']);
+$x = 2;
+var_dump($ary['x']);
+
+?>
+--EXPECT--
+int(1)
+int(1)
diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c
index 2fb0eac448f..7ba4f32c4df 100644
--- a/Zend/zend_hash.c
+++ b/Zend/zend_hash.c
@@ -1999,7 +1999,7 @@ ZEND_API void ZEND_FASTCALL zend_hash_merge(HashTable *target, HashTable *source
 {
     uint32_t idx;
 	Bucket *p;
-	zval *t;
+	zval *t, *s;
 
 	IS_CONSISTENT(source);
 	IS_CONSISTENT(target);
@@ -2008,18 +2008,20 @@ ZEND_API void ZEND_FASTCALL zend_hash_merge(HashTable *target, HashTable *source
 	if (overwrite) {
 		for (idx = 0; idx < source->nNumUsed; idx++) {
 			p = source->arData + idx;
-			if (UNEXPECTED(Z_TYPE(p->val) == IS_UNDEF)) continue;
-			if (UNEXPECTED(Z_TYPE(p->val) == IS_INDIRECT) &&
-			    UNEXPECTED(Z_TYPE_P(Z_INDIRECT(p->val)) == IS_UNDEF)) {
-			    continue;
+			s = &p->val;
+			if (UNEXPECTED(Z_TYPE_P(s) == IS_INDIRECT)) {
+				s = Z_INDIRECT_P(s);
+			}
+			if (UNEXPECTED(Z_TYPE_P(s) == IS_UNDEF)) {
+				continue;
 			}
 			if (p->key) {
-				t = _zend_hash_add_or_update_i(target, p->key, &p->val, HASH_UPDATE | HASH_UPDATE_INDIRECT);
+				t = _zend_hash_add_or_update_i(target, p->key, s, HASH_UPDATE | HASH_UPDATE_INDIRECT);
 				if (pCopyConstructor) {
 					pCopyConstructor(t);
 				}
 			} else {
-				t = zend_hash_index_update(target, p->h, &p->val);
+				t = zend_hash_index_update(target, p->h, s);
 				if (pCopyConstructor) {
 					pCopyConstructor(t);
 				}
@@ -2028,18 +2030,20 @@ ZEND_API void ZEND_FASTCALL zend_hash_merge(HashTable *target, HashTable *source
 	} else {
 		for (idx = 0; idx < source->nNumUsed; idx++) {
 			p = source->arData + idx;
-			if (UNEXPECTED(Z_TYPE(p->val) == IS_UNDEF)) continue;
-			if (UNEXPECTED(Z_TYPE(p->val) == IS_INDIRECT) &&
-			    UNEXPECTED(Z_TYPE_P(Z_INDIRECT(p->val)) == IS_UNDEF)) {
-			    continue;
+			s = &p->val;
+			if (UNEXPECTED(Z_TYPE_P(s) == IS_INDIRECT)) {
+				s = Z_INDIRECT_P(s);
+			}
+			if (UNEXPECTED(Z_TYPE_P(s) == IS_UNDEF)) {
+				continue;
 			}
 			if (p->key) {
-				t = _zend_hash_add_or_update_i(target, p->key, &p->val, HASH_ADD | HASH_UPDATE_INDIRECT);
+				t = _zend_hash_add_or_update_i(target, p->key, s, HASH_ADD | HASH_UPDATE_INDIRECT);
 				if (t && pCopyConstructor) {
 					pCopyConstructor(t);
 				}
 			} else {
-				t = zend_hash_index_add(target, p->h, &p->val);
+				t = zend_hash_index_add(target, p->h, s);
 				if (t && pCopyConstructor) {
 					pCopyConstructor(t);
 				}

From 3c4dd73c023e4aea317f774e045fdccc644f24b5 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 12 Oct 2020 11:22:39 +0200
Subject: [PATCH 2/2] Detect self-addition of array more accurately

While the zvals may be different, they may still point to the
same array.

Fixes oss-fuzz #26245.
---
 Zend/tests/array_self_add_globals.phpt | 10 ++++++++++
 Zend/zend_operators.c                  |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/array_self_add_globals.phpt

diff --git a/Zend/tests/array_self_add_globals.phpt b/Zend/tests/array_self_add_globals.phpt
new file mode 100644
index 00000000000..ebad7c3fdf1
--- /dev/null
+++ b/Zend/tests/array_self_add_globals.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Add $GLOBALS to itself
+--FILE--
+<?php
+$GLOBALS += $GLOBALS;
+$x = $GLOBALS + $GLOBALS;
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index 45cdc1b11c9..7338e471b65 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -903,7 +903,7 @@ try_again:
 
 static zend_never_inline void ZEND_FASTCALL add_function_array(zval *result, zval *op1, zval *op2) /* {{{ */
 {
-	if ((result == op1) && (result == op2)) {
+	if (result == op1 && Z_ARR_P(op1) == Z_ARR_P(op2)) {
 		/* $a += $a */
 		return;
 	}