From 6e1fe969623809b113c1d9c1be69bb14087a2c28 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Tue, 30 Nov 2021 11:40:18 +0300
Subject: [PATCH] JIT: Fix uninitialized result of ASSIGN_DIM[_OP] after
 clobbering array by user error handler

Fixes oss-fuzz #41208
---
 ext/opcache/jit/zend_jit_helpers.c        | 28 ++++++++++++++++++-----
 ext/opcache/tests/jit/assign_dim_005.phpt | 22 ++++++++++++++++++
 2 files changed, 44 insertions(+), 6 deletions(-)
 create mode 100644 ext/opcache/tests/jit/assign_dim_005.phpt

diff --git a/ext/opcache/jit/zend_jit_helpers.c b/ext/opcache/jit/zend_jit_helpers.c
index dafb648ea60..a7a8d6706f0 100644
--- a/ext/opcache/jit/zend_jit_helpers.c
+++ b/ext/opcache/jit/zend_jit_helpers.c
@@ -673,6 +673,8 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_rw_helper(zend_array *ht, zval *di
 	zend_ulong hval;
 	zend_string *offset_key;
 	zval *retval;
+	zend_execute_data *execute_data;
+	const zend_op *opline;
 
 	if (Z_TYPE_P(dim) == IS_REFERENCE) {
 		dim = Z_REFVAL_P(dim);
@@ -686,9 +688,15 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_rw_helper(zend_array *ht, zval *di
 			offset_key = Z_STR_P(dim);
 			goto str_index;
 		case IS_UNDEF:
-			if (!zend_jit_undefined_op_helper_write(ht, EG(current_execute_data)->opline->op2.var)) {
-				if (EG(exception)) {
-					undef_result_after_exception();
+			execute_data = EG(current_execute_data);
+			opline = EX(opline);
+			if (!zend_jit_undefined_op_helper_write(ht, opline->op2.var)) {
+				if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
+					if (EG(exception)) {
+						ZVAL_UNDEF(EX_VAR(opline->result.var));
+					} else {
+						ZVAL_NULL(EX_VAR(opline->result.var));
+					}
 				}
 				return NULL;
 			}
@@ -760,6 +768,8 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_w_helper(zend_array *ht, zval *dim
 	zend_ulong hval;
 	zend_string *offset_key;
 	zval *retval;
+	zend_execute_data *execute_data;
+	const zend_op *opline;
 
 	if (Z_TYPE_P(dim) == IS_REFERENCE) {
 		dim = Z_REFVAL_P(dim);
@@ -773,9 +783,15 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_w_helper(zend_array *ht, zval *dim
 			offset_key = Z_STR_P(dim);
 			goto str_index;
 		case IS_UNDEF:
-			if (!zend_jit_undefined_op_helper_write(ht, EG(current_execute_data)->opline->op2.var)) {
-				if (EG(exception)) {
-					undef_result_after_exception();
+			execute_data = EG(current_execute_data);
+			opline = EX(opline);
+			if (!zend_jit_undefined_op_helper_write(ht, opline->op2.var)) {
+				if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
+					if (EG(exception)) {
+						ZVAL_UNDEF(EX_VAR(opline->result.var));
+					} else {
+						ZVAL_NULL(EX_VAR(opline->result.var));
+					}
 				}
 				return NULL;
 			}
diff --git a/ext/opcache/tests/jit/assign_dim_005.phpt b/ext/opcache/tests/jit/assign_dim_005.phpt
new file mode 100644
index 00000000000..2056ba05543
--- /dev/null
+++ b/ext/opcache/tests/jit/assign_dim_005.phpt
@@ -0,0 +1,22 @@
+--TEST--
+JIT ASSIGN_DIM: 005
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+set_error_handler(function ($code, $msg) {
+	echo "Error: $msg\n";
+    $GLOBALS['a'] = null;
+});
+
+$a[$c] =                                                                                                                                    
+$a[$c] = 'x' ;
+var_dump($a);
+?>
+--EXPECT--
+Error: Undefined variable $c
+Error: Undefined variable $c
+NULL