From ddabe89add0276080ad61a705d4436790a22c6a9 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Thu, 2 Nov 2023 16:54:23 +0100 Subject: [PATCH] Fix OP1 leak in error path of post inc/dec Fixes oss-fuzz #63802 Closes GH-12599 --- NEWS | 1 + Zend/tests/oss_fuzz_63802.phpt | 34 ++++++++++++++++++++++++++++++++++ Zend/zend_vm_def.h | 6 ------ Zend/zend_vm_execute.h | 12 ------------ 4 files changed, 35 insertions(+), 18 deletions(-) create mode 100644 Zend/tests/oss_fuzz_63802.phpt diff --git a/NEWS b/NEWS index f16a1f676c9..f84d3525a10 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,7 @@ PHP NEWS . Fixed max_execution_time: don't delete an unitialized timer. (Kévin Dunglas) . Fixed bug GH-12558 (Arginfo soft-breaks with namespaced class return type if the class name starts with N). (kocsismate) + . Fixed oss-fuzz #63802 (OP1 leak in error path of post inc/dec). (ilutov) - DOM: . Fix registerNodeClass with abstract class crashing. (nielsdos) diff --git a/Zend/tests/oss_fuzz_63802.phpt b/Zend/tests/oss_fuzz_63802.phpt new file mode 100644 index 00000000000..51b4c8f1fd7 --- /dev/null +++ b/Zend/tests/oss_fuzz_63802.phpt @@ -0,0 +1,34 @@ +--TEST-- +oss-fuzz #63802: OP1 leak in error path of post inc/dec +--FILE-- + 42; + } + public function preDec() { + --$this > 42; + } + public function postInc() { + $this++ > 42; + } + public function postDec() { + $this-- > 42; + } +} +$foo = new Foo(); +foreach (['pre', 'post'] as $prePost) { + foreach (['inc', 'dec'] as $incDec) { + try { + $foo->{$prePost . ucfirst($incDec)}(); + } catch (TypeError $e) { + echo $e->getMessage(), "\n"; + } + } +} +?> +--EXPECT-- +Cannot increment Foo +Cannot decrement Foo +Cannot increment Foo +Cannot decrement Foo diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 9c11767584b..1e7110b4909 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -1606,9 +1606,6 @@ ZEND_VM_HELPER(zend_post_inc_helper, VAR|CV, ANY) ZVAL_COPY(EX_VAR(opline->result.var), var_ptr); increment_function(var_ptr); - if (UNEXPECTED(EG(exception))) { - HANDLE_EXCEPTION(); - } } while (0); FREE_OP1(); @@ -1657,9 +1654,6 @@ ZEND_VM_HELPER(zend_post_dec_helper, VAR|CV, ANY) ZVAL_COPY(EX_VAR(opline->result.var), var_ptr); decrement_function(var_ptr); - if (UNEXPECTED(EG(exception))) { - HANDLE_EXCEPTION(); - } } while (0); FREE_OP1(); diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index ccfa626f901..7ec1f3833ca 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -21782,9 +21782,6 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_inc_hel ZVAL_COPY(EX_VAR(opline->result.var), var_ptr); increment_function(var_ptr); - if (UNEXPECTED(EG(exception))) { - HANDLE_EXCEPTION(); - } } while (0); zval_ptr_dtor_nogc(EX_VAR(opline->op1.var)); @@ -21833,9 +21830,6 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_dec_hel ZVAL_COPY(EX_VAR(opline->result.var), var_ptr); decrement_function(var_ptr); - if (UNEXPECTED(EG(exception))) { - HANDLE_EXCEPTION(); - } } while (0); zval_ptr_dtor_nogc(EX_VAR(opline->op1.var)); @@ -39149,9 +39143,6 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_inc_hel ZVAL_COPY(EX_VAR(opline->result.var), var_ptr); increment_function(var_ptr); - if (UNEXPECTED(EG(exception))) { - HANDLE_EXCEPTION(); - } } while (0); ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION(); @@ -39199,9 +39190,6 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_dec_hel ZVAL_COPY(EX_VAR(opline->result.var), var_ptr); decrement_function(var_ptr); - if (UNEXPECTED(EG(exception))) { - HANDLE_EXCEPTION(); - } } while (0); ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();