From 4fd99925617be65f19c2a026610041c86777f8a2 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sat, 15 Mar 2025 11:31:40 +0100
Subject: [PATCH] Fix OSS-Fuzz #403308724

Because simple hooks can be nested without starting a new context, we
need to restore the old property info in case of nested hooks.

Closes GH-18074.
---
 NEWS                                          |  1 +
 .../property_hooks/oss_fuzz_403308724.phpt    | 30 +++++++++++++++++++
 Zend/zend_compile.c                           |  4 +--
 3 files changed, 33 insertions(+), 2 deletions(-)
 create mode 100644 Zend/tests/property_hooks/oss_fuzz_403308724.phpt

diff --git a/NEWS b/NEWS
index 805363ed248..f912002aebd 100644
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,7 @@ PHP                                                                        NEWS
     (Arnaud)
   . Fixed bug GH-15367 (dl() of module with aliased class crashes in shutdown).
     (Arnaud)
+  . Fixed OSS-Fuzz #403308724. (nielsdos)
 
 - DBA:
   . Fixed assertion violation when opening the same file with dba_open
diff --git a/Zend/tests/property_hooks/oss_fuzz_403308724.phpt b/Zend/tests/property_hooks/oss_fuzz_403308724.phpt
new file mode 100644
index 00000000000..b27b08dd703
--- /dev/null
+++ b/Zend/tests/property_hooks/oss_fuzz_403308724.phpt
@@ -0,0 +1,30 @@
+--TEST--
+OSS-Fuzz #403308724
+--FILE--
+<?php
+class Base {
+    public $y { get => 1; }
+}
+
+class Test extends Base {
+    public $y {
+        get => [new class {
+            public $inner {get => __PROPERTY__;}
+        }, parent::$y::get()];
+    }
+}
+
+$test = new Test;
+$y = $test->y;
+var_dump($y);
+var_dump($y[0]->inner);
+?>
+--EXPECT--
+array(2) {
+  [0]=>
+  object(class@anonymous)#2 (0) {
+  }
+  [1]=>
+  int(1)
+}
+string(5) "inner"
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index ef75b45ad05..832dedc4210 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -8645,7 +8645,7 @@ static void zend_compile_prop_decl(zend_ast *ast, zend_ast *type_ast, uint32_t f
 		/* FIXME: This is a dirty fix to maintain ABI compatibility. We don't
 		 * have an actual property info yet, but we really only need the name
 		 * anyway. We should convert this to a zend_string. */
-		ZEND_ASSERT(!CG(context).active_property_info);
+		const zend_property_info *old_active_property_info = CG(context).active_property_info;
 		zend_property_info dummy_prop_info = { .name = name };
 		CG(context).active_property_info = &dummy_prop_info;
 
@@ -8742,7 +8742,7 @@ static void zend_compile_prop_decl(zend_ast *ast, zend_ast *type_ast, uint32_t f
 			zend_compile_attributes(&info->attributes, attr_ast, 0, ZEND_ATTRIBUTE_TARGET_PROPERTY, 0);
 		}
 
-		CG(context).active_property_info = NULL;
+		CG(context).active_property_info = old_active_property_info;
 	}
 }
 /* }}} */