From 97b5eeeb6c04c7637bef5d32a1b08dd409f16570 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 28 Sep 2021 16:28:34 +0200
Subject: [PATCH] Fix leak with ASSIGN_OBJ on null

We still need to free op1 in this case.

Fixes oss-fuzz 5782176231194624 (part of #38542).
---
 ext/opcache/jit/zend_jit_x86.dasc             |  5 ++-
 ext/opcache/tests/jit/assign_obj_on_null.phpt | 37 +++++++++++++++++++
 2 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 ext/opcache/tests/jit/assign_obj_on_null.phpt

diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
index 9441c8f099f..d30f8e64261 100644
--- a/ext/opcache/jit/zend_jit_x86.dasc
+++ b/ext/opcache/jit/zend_jit_x86.dasc
@@ -13731,11 +13731,12 @@ static int zend_jit_assign_obj_op(dasm_State          **Dst,
 				} else {
 					|	EXT_CALL zend_jit_invalid_property_assign, r0
 				}
+				may_throw = 1;
 				if (((opline+1)->op1_type & (IS_VAR|IS_TMP_VAR))
 				 && (val_info & (MAY_BE_REF|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE))) {
 					|	jmp >8
 				} else {
-					|	jmp ->exception_handler
+					|	jmp >9
 				}
 				|.code
 			}
@@ -14067,7 +14068,7 @@ static int zend_jit_assign_obj(dasm_State          **Dst,
 				 && (val_info & (MAY_BE_REF|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE))) {
 					|	jmp >7
 				} else {
-					|	jmp ->exception_handler
+					|	jmp >9
 				}
 				|.code
 			}
diff --git a/ext/opcache/tests/jit/assign_obj_on_null.phpt b/ext/opcache/tests/jit/assign_obj_on_null.phpt
new file mode 100644
index 00000000000..16992727c90
--- /dev/null
+++ b/ext/opcache/tests/jit/assign_obj_on_null.phpt
@@ -0,0 +1,37 @@
+--TEST--
+ASSIGN_OBJ on null reference returned from __get()
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+class Test {
+    public $prop;
+    public function &__get($name) {
+        return $this->prop;
+    }
+}
+function test() {
+    $obj = new Test;
+    $obj->x->y = 1;
+}
+function test2() {
+    $obj = new Test;
+    $obj->x->y += 1;
+}
+try {
+    test();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    test2();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Attempt to assign property "y" on null
+Attempt to assign property "y" on null