diff --git a/NEWS b/NEWS index 6bc566be390..93be6f405c0 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,7 @@ PHP NEWS . Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction order). (Daniil Gentili) . Fixed bug GH-18907 (Leak when creating cycle in hook). (ilutov) + . Fix OSS-Fuzz #427814456. (nielsdos) - Curl: . Fix memory leaks when returning refcounted value from curl callback. diff --git a/Zend/tests/numeric_strings/oss_fuzz_427814456.phpt b/Zend/tests/numeric_strings/oss_fuzz_427814456.phpt new file mode 100644 index 00000000000..f91563385e9 --- /dev/null +++ b/Zend/tests/numeric_strings/oss_fuzz_427814456.phpt @@ -0,0 +1,11 @@ +--TEST-- +OSS-Fuzz #427814456 +--FILE-- + +--EXPECT-- +Done diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c index 252b8df1ea0..9ed7531361a 100644 --- a/Zend/zend_operators.c +++ b/Zend/zend_operators.c @@ -402,6 +402,7 @@ try_again: zend_long lval; double dval; bool trailing_data = false; + zend_string *op_str = NULL; /* protect against error handlers */ /* For BC reasons we allow errors so that we can warn on leading numeric string */ type = is_numeric_string_ex(Z_STRVAL_P(op), Z_STRLEN_P(op), &lval, &dval, @@ -411,6 +412,9 @@ try_again: return 0; } if (UNEXPECTED(trailing_data)) { + if (type != IS_LONG) { + op_str = zend_string_copy(Z_STR_P(op)); + } zend_error(E_WARNING, "A non-numeric value encountered"); if (UNEXPECTED(EG(exception))) { *failed = 1; @@ -426,11 +430,12 @@ try_again: */ lval = zend_dval_to_lval_cap(dval); if (!zend_is_long_compatible(dval, lval)) { - zend_incompatible_string_to_long_error(Z_STR_P(op)); + zend_incompatible_string_to_long_error(op_str ? op_str : Z_STR_P(op)); if (UNEXPECTED(EG(exception))) { *failed = 1; } } + zend_tmp_string_release(op_str); return lval; } }