Fix OSS Fuzz #60734: use-after-free visible in ASAN build

2026-03-24 00:02:20 +01:00 · 2023-07-24 16:15:57 +01:00
parent 6ae9cf40d1
commit 2fbec0974f
6 changed files with 142 additions and 0 deletions
--- a/Zend/tests/in-de-crement/object_cannot_incdec.phpt
+++ b/Zend/tests/in-de-crement/object_cannot_incdec.phpt
@@ -0,0 +1,45 @@
+--TEST--
+Cannot increment/decrement objects
+--FILE--
+<?php
+class Foo { }
+$o = new Foo;
+
+try {
+    $o++;
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+    var_dump($o);
+}
+try {
+    $o--;
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+    var_dump($o);
+}
+try {
+    ++$o;
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+    var_dump($o);
+}
+try {
+    --$o;
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+    var_dump($o);
+}
+?>
+--EXPECT--
+Cannot increment Foo
+object(Foo)#1 (0) {
+}
+Cannot decrement Foo
+object(Foo)#1 (0) {
+}
+Cannot increment Foo
+object(Foo)#1 (0) {
+}
+Cannot decrement Foo
+object(Foo)#1 (0) {
+}
--- a/Zend/tests/in-de-crement/object_cannot_incdec_use_result_op.phpt
+++ b/Zend/tests/in-de-crement/object_cannot_incdec_use_result_op.phpt
@@ -0,0 +1,45 @@
+--TEST--
+Cannot increment/decrement objects
+--FILE--
+<?php
+class Foo { }
+$o = new Foo;
+
+try {
+    $y = $o++;
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+    var_dump($o);
+}
+try {
+    $y = $o--;
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+    var_dump($o);
+}
+try {
+    $y = ++$o;
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+    var_dump($o);
+}
+try {
+    $y = --$o;
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+    var_dump($o);
+}
+?>
+--EXPECT--
+Cannot increment Foo
+object(Foo)#1 (0) {
+}
+Cannot decrement Foo
+object(Foo)#1 (0) {
+}
+Cannot increment Foo
+object(Foo)#1 (0) {
+}
+Cannot decrement Foo
+object(Foo)#1 (0) {
+}
--- a/Zend/tests/in-de-crement/oss-fuzz-60734_predec-object.phpt
+++ b/Zend/tests/in-de-crement/oss-fuzz-60734_predec-object.phpt
@@ -0,0 +1,14 @@
+--TEST--
+OSS Fuzz #60734: use-after-free visible in ASAN build pre decrement.
+--FILE--
+<?php
+class Foo{
+}
+$test = new Foo;
+$y = --$test;
+?>
+--EXPECTF--
+Fatal error: Uncaught TypeError: Cannot decrement Foo in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d
--- a/Zend/tests/in-de-crement/oss-fuzz-60734_preinc-object.phpt
+++ b/Zend/tests/in-de-crement/oss-fuzz-60734_preinc-object.phpt
@@ -0,0 +1,14 @@
+--TEST--
+OSS Fuzz #60734: use-after-free visible in ASAN build pre increment.
+--FILE--
+<?php
+class Foo{
+}
+$test = new Foo;
+$y = ++$test;
+?>
+--EXPECTF--
+Fatal error: Uncaught TypeError: Cannot increment Foo in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1501,6 +1501,10 @@ ZEND_VM_HELPER(zend_pre_inc_helper, VAR|CV, ANY)
 		}
 		increment_function(var_ptr);
 		if (UNEXPECTED(EG(exception))) {
+			/* Smart branch expects result to be set with exceptions */
+			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
+				ZVAL_NULL(EX_VAR(opline->result.var));
+			}
 			HANDLE_EXCEPTION();
 		}
 	} while (0);
@@ -1556,6 +1560,10 @@ ZEND_VM_HELPER(zend_pre_dec_helper, VAR|CV, ANY)
 		}
 		decrement_function(var_ptr);
 		if (UNEXPECTED(EG(exception))) {
+			/* Smart branch expects result to be set with exceptions */
+			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
+				ZVAL_NULL(EX_VAR(opline->result.var));
+			}
 			HANDLE_EXCEPTION();
 		}
 	} while (0);
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -21625,6 +21625,10 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_inc_help
 		}
 		increment_function(var_ptr);
 		if (UNEXPECTED(EG(exception))) {
+			/* Smart branch expects result to be set with exceptions */
+			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
+				ZVAL_NULL(EX_VAR(opline->result.var));
+			}
 			HANDLE_EXCEPTION();
 		}
 	} while (0);
@@ -21698,6 +21702,10 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_dec_help
 		}
 		decrement_function(var_ptr);
 		if (UNEXPECTED(EG(exception))) {
+			/* Smart branch expects result to be set with exceptions */
+			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
+				ZVAL_NULL(EX_VAR(opline->result.var));
+			}
 			HANDLE_EXCEPTION();
 		}
 	} while (0);
@@ -39000,6 +39008,10 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_inc_help
 		}
 		increment_function(var_ptr);
 		if (UNEXPECTED(EG(exception))) {
+			/* Smart branch expects result to be set with exceptions */
+			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
+				ZVAL_NULL(EX_VAR(opline->result.var));
+			}
 			HANDLE_EXCEPTION();
 		}
 	} while (0);
@@ -39072,6 +39084,10 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_pre_dec_help
 		}
 		decrement_function(var_ptr);
 		if (UNEXPECTED(EG(exception))) {
+			/* Smart branch expects result to be set with exceptions */
+			if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
+				ZVAL_NULL(EX_VAR(opline->result.var));
+			}
 			HANDLE_EXCEPTION();
 		}
 	} while (0);