From 84917300b234f898bd92a08fc3ab3b4a9f2246e9 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 8 Dec 2024 20:02:26 +0100
Subject: [PATCH] Fix duplicate dynamic properties in hooked object iterator
 properties table

Ouch, Z_TRY_ADDREF_P() uses pz twice... Also make sure we actually reserve
enough Buckets for all dynamic properties.

Fixes OSS-Fuzz #382922236
Closes GH-17085
---
 NEWS                                          |  4 ++++
 .../property_hooks/oss-fuzz-382922236.phpt    | 20 +++++++++++++++++++
 Zend/zend_property_hooks.c                    |  7 +++++--
 3 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 Zend/tests/property_hooks/oss-fuzz-382922236.phpt

diff --git a/NEWS b/NEWS
index 589e9277552..58e69261024 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-17061 (Now Number::round() does not remove trailing zeros).
     (Saki Takamachi)
 
+- Core:
+  . Fixed bug OSS-Fuzz #382922236 (Duplicate dynamic properties in hooked object
+    iterator properties table). (ilutov)
+
 - DBA:
   . Skip test if inifile is disabled. (orlitzky)
 
diff --git a/Zend/tests/property_hooks/oss-fuzz-382922236.phpt b/Zend/tests/property_hooks/oss-fuzz-382922236.phpt
new file mode 100644
index 00000000000..f87b70ea5a7
--- /dev/null
+++ b/Zend/tests/property_hooks/oss-fuzz-382922236.phpt
@@ -0,0 +1,20 @@
+--TEST--
+OSS-Fuzz #382922236: Duplicate dynamic properties in hooked object iterator properties table
+--FILE--
+<?php
+
+#[AllowDynamicProperties]
+class C {
+    public $a {
+        get => 42;
+    }
+}
+
+$obj = new C();
+$b = &$obj->b;
+unset($b);
+echo json_encode($obj);
+
+?>
+--EXPECT--
+{"a":42,"b":null}
diff --git a/Zend/zend_property_hooks.c b/Zend/zend_property_hooks.c
index 82ddf2f8835..d1db597d3a3 100644
--- a/Zend/zend_property_hooks.c
+++ b/Zend/zend_property_hooks.c
@@ -44,7 +44,9 @@ static uint32_t zho_num_backed_props(zend_object *zobj)
 static zend_array *zho_build_properties_ex(zend_object *zobj, bool check_access, bool force_ptr, bool include_dynamic_props)
 {
 	zend_class_entry *ce = zobj->ce;
-	zend_array *properties = zend_new_array(ce->default_properties_count);
+	zend_array *properties = zend_new_array(include_dynamic_props && zobj->properties
+		? zend_hash_num_elements(zobj->properties)
+		: ce->default_properties_count);
 	zend_hash_real_init_mixed(properties);
 
 	/* Build list of parents */
@@ -105,7 +107,8 @@ skip_property:
 		zend_string *prop_name;
 		zval *prop_value;
 		ZEND_HASH_FOREACH_STR_KEY_VAL_FROM(zobj->properties, prop_name, prop_value, zho_num_backed_props(zobj)) {
-			Z_TRY_ADDREF_P(_zend_hash_append(properties, prop_name, prop_value));
+			zval *tmp = _zend_hash_append(properties, prop_name, prop_value);
+			Z_TRY_ADDREF_P(tmp);
 		} ZEND_HASH_FOREACH_END();
 	}