From 16a8591f281860eb3d08c8ac8fcc79d791608603 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Fri, 26 Sep 2025 14:26:16 +0200 Subject: [PATCH] Fix fatal error during sccp shift eval Avoid returning early in this function, as other checks might still be needed to verify whether the given function can procude an error. Fixes oss-fuzz #447521098 Closes GH-19972 --- NEWS | 3 +++ Zend/tests/oss_fuzz_447521098.phpt | 13 +++++++++++++ Zend/zend_compile.c | 8 ++++++-- 3 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 Zend/tests/oss_fuzz_447521098.phpt diff --git a/NEWS b/NEWS index c21d7801b3f..c16f62d8ba7 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 8.5.0RC2 +- Core: + . Fix OSS-Fuzz #447521098 (Fatal error during sccp shift eval). (ilutov) + - Opcache . Fixed segfault in function JIT due to NAN to bool warning. (Girgias) diff --git a/Zend/tests/oss_fuzz_447521098.phpt b/Zend/tests/oss_fuzz_447521098.phpt new file mode 100644 index 00000000000..09967ce0ae3 --- /dev/null +++ b/Zend/tests/oss_fuzz_447521098.phpt @@ -0,0 +1,13 @@ +--TEST-- +OSS-Fuzz #447521098: Fatal error during sccp shift eval +--FILE-- +> $y; +} +?> +===DONE=== +--EXPECT-- +===DONE=== diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c index 2eee6a01caf..d8c13b6ff6c 100644 --- a/Zend/zend_compile.c +++ b/Zend/zend_compile.c @@ -9998,7 +9998,9 @@ ZEND_API bool zend_binary_op_produces_error(uint32_t opcode, const zval *op1, co /* Operation which cast float/float-strings to integers might produce incompatible float to int errors */ if (opcode == ZEND_SL || opcode == ZEND_SR || opcode == ZEND_BW_OR || opcode == ZEND_BW_AND || opcode == ZEND_BW_XOR) { - return !zend_is_op_long_compatible(op1) || !zend_is_op_long_compatible(op2); + if (!zend_is_op_long_compatible(op1) || !zend_is_op_long_compatible(op2)) { + return 1; + } } if (opcode == ZEND_DIV && zval_get_double(op2) == 0.0) { @@ -10009,7 +10011,9 @@ ZEND_API bool zend_binary_op_produces_error(uint32_t opcode, const zval *op1, co /* Mod is an operation that will cast float/float-strings to integers which might produce float to int incompatible errors, and also cannot be divided by 0 */ if (opcode == ZEND_MOD) { - return !zend_is_op_long_compatible(op1) || !zend_is_op_long_compatible(op2) || zval_get_long(op2) == 0; + if (!zend_is_op_long_compatible(op1) || !zend_is_op_long_compatible(op2) || zval_get_long(op2) == 0) { + return 1; + } } if ((opcode == ZEND_POW) && zval_get_double(op1) == 0 && zval_get_double(op2) < 0) {