From cc065bae3ffbdcf0ea2fa76c483c2ea3c779793c Mon Sep 17 00:00:00 2001
From: Arnaud Le Blanc <arnaud.lb@gmail.com>
Date: Mon, 23 Sep 2024 13:47:56 +0200
Subject: [PATCH] Fix zend_lazy_object_get_properties for object with prop ht,
 when init fails (#15825)

zend_lazy_object_get_properties() is used by zend_std_get_properties_ex() to fetch the properties of lazy objects. It initializes the object and returns its properties.

When initialization fails we return an empty ht because most callers do not check for NULL. We rely on the exception thrown during initialization. We also assign that empty ht to zend_object.properties for the same reasons.

We asserted that zend_object.properties was either NULL or &zend_empty_array, but there are other cases in which a uninitialized lazy object may have a properties ht.

Here I remove the assertion, and return the existing properties ht if there is one. Otherwise I return zend_new_array(0) instead of &zend_emtpy_array as not all callers expect an immutable array (e.g. FE_FETCH does not).
---
 Zend/tests/lazy_objects/gh15823.phpt | 37 ++++++++++++++++++++++++++++
 Zend/zend_lazy_objects.c             |  6 +++--
 2 files changed, 41 insertions(+), 2 deletions(-)
 create mode 100644 Zend/tests/lazy_objects/gh15823.phpt

diff --git a/Zend/tests/lazy_objects/gh15823.phpt b/Zend/tests/lazy_objects/gh15823.phpt
new file mode 100644
index 00000000000..6164e54ea23
--- /dev/null
+++ b/Zend/tests/lazy_objects/gh15823.phpt
@@ -0,0 +1,37 @@
+--TEST--
+GH-15823: Wrong expectations in zend_lazy_object_get_properties()
+--FILE--
+<?php
+
+class C {
+    public int $a = 1;
+}
+
+$reflector = new ReflectionClass(C::class);
+$calls = 0;
+$obj = $reflector->newLazyGhost(function ($obj) use (&$calls) {
+    if ($calls++ === 0) {
+        throw new Error("initializer");
+    }
+    $obj->a = 2;
+});
+
+// Builds properties ht without lazy initialization
+var_dump($obj);
+try {
+    // Lazy initialization fails during fetching of properties ht
+    json_encode($obj);
+} catch (Error $e) {
+    printf("%s: %s\n", $e::class, $e->getMessage());
+}
+
+var_dump(json_encode($obj));
+
+?>
+--EXPECTF--
+lazy ghost object(C)#%d (0) {
+  ["a"]=>
+  uninitialized(int)
+}
+Error: initializer
+string(7) "{"a":2}"
diff --git a/Zend/zend_lazy_objects.c b/Zend/zend_lazy_objects.c
index 8be8e8b7b77..c8e9fa1bfb3 100644
--- a/Zend/zend_lazy_objects.c
+++ b/Zend/zend_lazy_objects.c
@@ -624,8 +624,10 @@ ZEND_API HashTable *zend_lazy_object_get_properties(zend_object *object)
 
 	zend_object *tmp = zend_lazy_object_init(object);
 	if (UNEXPECTED(!tmp)) {
-		ZEND_ASSERT(!object->properties || object->properties == &zend_empty_array);
-		return object->properties = (zend_array*) &zend_empty_array;
+		if (object->properties) {
+			return object->properties;
+		}
+		return object->properties = zend_new_array(0);
 	}
 
 	object = tmp;