Fix OSS-Fuzz #454273637: UAF with printf optimization and const output (#20261)

Note that ZEND_COPY_TMP isn't even valid for CONSTs, and we would need to add a ref even if it were, so just add special handling instead to simplify it.
2026-03-24 00:02:20 +01:00 · 2025-10-23 08:23:55 +02:00
parent f8656fae35
commit 09c39a8fd9
2 changed files with 19 additions and 3 deletions
--- a/Zend/tests/oss_fuzz_454273637.phpt
+++ b/Zend/tests/oss_fuzz_454273637.phpt
@@ -0,0 +1,8 @@
+--TEST--
+OSS-Fuzz #454273637 (UAF with printf optimization and const output)
+--FILE--
+<?php
+printf('%%');
+?>
+--EXPECT--
+%
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -5009,9 +5009,17 @@ static zend_result zend_compile_func_printf(znode *result, zend_ast_list *args)
 	 * pass in the Zend Optimizer if the result of the printf() is in fact
 	 * unused */
 	znode copy;
-	zend_emit_op_tmp(&copy, ZEND_COPY_TMP, &rope_result, NULL);
-	zend_emit_op(NULL, ZEND_ECHO, &rope_result, NULL);
-	zend_emit_op_tmp(result, ZEND_STRLEN, &copy, NULL);
+	if (rope_result.op_type != IS_CONST) {
+		/* Note: ZEND_COPY_TMP is only valid for TMPVAR. */
+		ZEND_ASSERT(rope_result.op_type == IS_TMP_VAR);
+		zend_emit_op_tmp(&copy, ZEND_COPY_TMP, &rope_result, NULL);
+		zend_emit_op(NULL, ZEND_ECHO, &rope_result, NULL);
+		zend_emit_op_tmp(result, ZEND_STRLEN, &copy, NULL);
+	} else {
+		zend_emit_op(NULL, ZEND_ECHO, &rope_result, NULL);
+		result->op_type = IS_CONST;
+		ZVAL_LONG(&result->u.constant, Z_STRLEN(rope_result.u.constant));
+	}

 	return SUCCESS;
 }