From 94286cd596b497fcaf66017505a638633409d15b Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Thu, 2 Dec 2021 16:16:54 +0300
Subject: [PATCH] Fix yet another indirect string modification by error handler
 problem

---
 Zend/tests/str_offset_008.phpt     | 18 ++++++++++++++++++
 ext/opcache/jit/zend_jit_helpers.c |  8 ++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 Zend/tests/str_offset_008.phpt

diff --git a/Zend/tests/str_offset_008.phpt b/Zend/tests/str_offset_008.phpt
new file mode 100644
index 00000000000..e99e46e59e7
--- /dev/null
+++ b/Zend/tests/str_offset_008.phpt
@@ -0,0 +1,18 @@
+--TEST--
+string offset 008 indirect string modification by error handler
+--FILE--
+<?php
+set_error_handler(function($code, $msg) {
+    echo "Err: $msg\n";
+    $GLOBALS['a']=8;
+});
+$z = "z";
+$a=["xx$z"];
+var_dump($a[0][$b]);
+var_dump($a);
+?>
+--EXPECT--
+Err: Undefined variable $b
+Err: String offset cast occurred
+string(1) "x"
+int(8)
diff --git a/ext/opcache/jit/zend_jit_helpers.c b/ext/opcache/jit/zend_jit_helpers.c
index 3d7163d3706..d287416fa74 100644
--- a/ext/opcache/jit/zend_jit_helpers.c
+++ b/ext/opcache/jit/zend_jit_helpers.c
@@ -921,7 +921,15 @@ static zend_string* ZEND_FASTCALL zend_jit_fetch_dim_str_r_helper(zend_string *s
 	zend_long offset;
 
 	if (UNEXPECTED(Z_TYPE_P(dim) != IS_LONG)) {
+		if (!(GC_FLAGS(str) & IS_STR_INTERNED)) {
+			GC_ADDREF(str);
+		}
 		offset = zend_check_string_offset(dim/*, BP_VAR_R*/);
+		if (!(GC_FLAGS(str) & IS_STR_INTERNED) && UNEXPECTED(GC_DELREF(str) == 0)) {
+			zend_string *ret = zend_jit_fetch_dim_str_offset(str, offset);
+			zend_string_efree(str);
+			return ret;
+		}
 	} else {
 		offset = Z_LVAL_P(dim);
 	}