From f18bb2477fba864d20d2c3b7422e5b9ce88f1f79 Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Mon, 20 Dec 2021 11:40:11 +0300 Subject: [PATCH] Fix type inference for INIT_ARRAY with invalid index Fixes oss-fuzz #42568 --- ext/opcache/Optimizer/zend_inference.c | 4 +++- ext/opcache/tests/opt/inference_002.phpt | 15 +++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 ext/opcache/tests/opt/inference_002.phpt diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c index e4bb7ec3454..feb469303c4 100644 --- a/ext/opcache/Optimizer/zend_inference.c +++ b/ext/opcache/Optimizer/zend_inference.c @@ -3002,7 +3002,9 @@ static zend_always_inline int _zend_update_type_info( if (ssa_op->result_use >= 0) { tmp |= ssa_var_info[ssa_op->result_use].type; } - if (opline->op1_type != IS_UNUSED) { + if (opline->op1_type != IS_UNUSED + && (opline->op2_type == IS_UNUSED + || (t2 & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_LONG|MAY_BE_DOUBLE|MAY_BE_RESOURCE|MAY_BE_STRING)))) { tmp |= (t1 & MAY_BE_ANY) << MAY_BE_ARRAY_SHIFT; if (t1 & MAY_BE_UNDEF) { tmp |= MAY_BE_ARRAY_OF_NULL; diff --git a/ext/opcache/tests/opt/inference_002.phpt b/ext/opcache/tests/opt/inference_002.phpt new file mode 100644 index 00000000000..70412426c2f --- /dev/null +++ b/ext/opcache/tests/opt/inference_002.phpt @@ -0,0 +1,15 @@ +--TEST-- +Type inference 002: Type inference for INIT_ARRAY with invalid index +--INI-- +opcache.enable=1 +opcache.enable_cli=1 +opcache.optimization_level=-1 +--FILE-- +&$x]); +?> +--EXPECTF-- +Fatal error: Uncaught TypeError: Illegal offset type in %sinference_002.php:2 +Stack trace: +#0 {main} + thrown in %sinference_002.php on line 2 \ No newline at end of file