From 2e29817005bb5365bf1bcde454b8c2289ff1b3d2 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 1 Nov 2021 14:25:27 +0100
Subject: [PATCH] Handle FETCH_DIM_R after FETCH_DIM_FUNC_ARG in inference

This can happen if a call is optimized, but FETCH_DIM_FUNC_ARG
cannot be converted to FETCH_DIM_R because it uses an UNUSED op2,
which is not supported by FETCH_DIM_R.

Fixes oss-fuzz 6144185837682688.
---
 Zend/tests/func_arg_fetch_optimization.phpt | 15 +++++++++++++++
 ext/opcache/Optimizer/zend_inference.c      |  1 +
 2 files changed, 16 insertions(+)
 create mode 100644 Zend/tests/func_arg_fetch_optimization.phpt

diff --git a/Zend/tests/func_arg_fetch_optimization.phpt b/Zend/tests/func_arg_fetch_optimization.phpt
new file mode 100644
index 00000000000..ba01d8f7dee
--- /dev/null
+++ b/Zend/tests/func_arg_fetch_optimization.phpt
@@ -0,0 +1,15 @@
+--TEST--
+FETCH_DIM_FUNC_ARG that cannot be optimized to FETCH_DIM_R because it appends
+--FILE--
+<?php
+function test($x) {
+    test($x[][$y]);
+}
+try {
+    test([]);
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Cannot use [] for reading
diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c
index b981a1fc1de..5fa33e0c96c 100644
--- a/ext/opcache/Optimizer/zend_inference.c
+++ b/ext/opcache/Optimizer/zend_inference.c
@@ -3389,6 +3389,7 @@ static zend_always_inline int _zend_update_type_info(
 								 * is already an object. */
 								break;
 							case ZEND_SEND_VAR:
+							case ZEND_FETCH_DIM_R:
 								/* This can occur if a DIM_FETCH_FUNC_ARG with UNUSED op2 is left
 								 * behind, because it can't be converted to DIM_FETCH_R. */
 								break;