From fae42c8bd832174a17a804d0da0bfd624fd071e4 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Wed, 21 Jun 2023 14:59:05 +0200 Subject: [PATCH] Fix assertion violation for invalid class const objects in const expressions (#11458) Fixes oss-fuzz #59764 --- Zend/tests/oss_fuzz_59764.phpt | 8 ++++++++ Zend/zend_compile.c | 3 +++ 2 files changed, 11 insertions(+) create mode 100644 Zend/tests/oss_fuzz_59764.phpt diff --git a/Zend/tests/oss_fuzz_59764.phpt b/Zend/tests/oss_fuzz_59764.phpt new file mode 100644 index 00000000000..c8ba573ff9a --- /dev/null +++ b/Zend/tests/oss_fuzz_59764.phpt @@ -0,0 +1,8 @@ +--TEST-- +oss-fuzz #59764: Test +--FILE-- + +--EXPECTF-- +Fatal error: Class name must be a valid object or a string in %s on line %d diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c index 0b54823d202..21fc22e7314 100644 --- a/Zend/zend_compile.c +++ b/Zend/zend_compile.c @@ -10014,6 +10014,9 @@ static void zend_compile_const_expr_class_const(zend_ast **ast_ptr) /* {{{ */ zend_error_noreturn(E_COMPILE_ERROR, "Dynamic class names are not allowed in compile-time class constant references"); } + if (Z_TYPE_P(zend_ast_get_zval(class_ast)) != IS_STRING) { + zend_throw_error(NULL, "Class name must be a valid object or a string"); + } class_name = zend_ast_get_str(class_ast); fetch_type = zend_get_class_fetch_type(class_name);