From ab6977d36c5b9066b27f8455e9dbda13d8c44964 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Wed, 29 Jan 2025 12:48:35 +0100 Subject: [PATCH] Fix segfault when assigning to backing value by-ref from hook Fixes oss-fuzz #391975641 Closes GH-17620 --- NEWS | 2 ++ Zend/tests/oss-fuzz-391975641.phpt | 22 ++++++++++++++++++++++ Zend/zend_execute.c | 2 +- 3 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 Zend/tests/oss-fuzz-391975641.phpt diff --git a/NEWS b/NEWS index 7ccf92b9169..fb3a050b1bb 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,8 @@ PHP NEWS . Fixed bug GH-17618 (UnhandledMatchError does not take zend.exception_ignore_args=1 into account). (timwolla) . Fix fallback paths in fast_long_{add,sub}_function. (nielsdos) + . Fixed bug OSS-Fuzz #391975641 (Crash when accessing property backing value + by reference). (ilutov) - DOM: . Fixed bug GH-17609 (Typo in error message: Dom\NO_DEFAULT_NS instead of diff --git a/Zend/tests/oss-fuzz-391975641.phpt b/Zend/tests/oss-fuzz-391975641.phpt new file mode 100644 index 00000000000..586457aeac5 --- /dev/null +++ b/Zend/tests/oss-fuzz-391975641.phpt @@ -0,0 +1,22 @@ +--TEST-- +OSS-Fuzz #391975641: Segfault when creating reference from backing value +--FILE-- + $this->prop; + set { + $this->prop = &$value; + $value = &$this->prop; + } + } +} + +$c = new C; +$c->prop = 1; +var_dump($c->prop); + +?> +--EXPECT-- +int(1) diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index 8b148c40a49..0f8b062e3f0 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -3490,7 +3490,7 @@ static zend_always_inline void zend_assign_to_property_reference(zval *container variable_ptr = zend_wrong_assign_to_variable_reference( variable_ptr, value_ptr, &garbage OPLINE_CC EXECUTE_DATA_CC); - } else if (prop_info) { + } else if (prop_info && ZEND_TYPE_IS_SET(prop_info->type)) { variable_ptr = zend_assign_to_typed_property_reference(prop_info, variable_ptr, value_ptr, &garbage EXECUTE_DATA_CC); } else { zend_assign_to_variable_reference(variable_ptr, value_ptr, &garbage);