Fix OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler

Reorder when we assign the property value to NULL which is identical to a3a3964497 Just for the declared property case instead of dynamic. Closes GH-12114
2026-03-24 00:02:20 +01:00 · 2023-09-03 00:12:25 +01:00
parent d7273c5963
commit 8a392eddf9
8 changed files with 125 additions and 1 deletions
--- a/2
+++ b/2
@@ -10,6 +10,8 @@ PHP                                                                        NEWS
    closures). (ilutov)
  . Fixed bug GH-12060 (Internal iterator rewind handler is called twice).
    (ju1ius)
+  . Fixed OSS Fuzz #61865 (Undef variable in ++/-- for declared property
+    that is unset in error handler). (Girgias)


 - FPM:
--- a/Zend/tests/in-de-crement/oss-fuzz-61865_binop_declared_property_unset_error_handler.phpt
+++ b/Zend/tests/in-de-crement/oss-fuzz-61865_binop_declared_property_unset_error_handler.phpt
@@ -0,0 +1,18 @@
+--TEST--
+OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler($errno, $errstr) {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+$c->a += 5;
+var_dump($c->a);
+?>
+--EXPECT--
+int(5)
--- a/Zend/tests/in-de-crement/oss-fuzz-61865_postdec_declared_property_unset_error_handler.phpt
+++ b/Zend/tests/in-de-crement/oss-fuzz-61865_postdec_declared_property_unset_error_handler.phpt
@@ -0,0 +1,20 @@
+--TEST--
+OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler($errno, $errstr) {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+$v = ($c->a--);
+var_dump($c->a);
+var_dump($v);
+?>
+--EXPECT--
+NULL
+NULL
--- a/Zend/tests/in-de-crement/oss-fuzz-61865_postinc_declared_property_unset_error_handler.phpt
+++ b/Zend/tests/in-de-crement/oss-fuzz-61865_postinc_declared_property_unset_error_handler.phpt
@@ -0,0 +1,20 @@
+--TEST--
+OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler($errno, $errstr) {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+$v = ($c->a++);
+var_dump($c->a);
+var_dump($v);
+?>
+--EXPECT--
+int(1)
+NULL
--- a/Zend/tests/in-de-crement/oss-fuzz-61865_predec_declared_property_unset_error_handler.phpt
+++ b/Zend/tests/in-de-crement/oss-fuzz-61865_predec_declared_property_unset_error_handler.phpt
@@ -0,0 +1,18 @@
+--TEST--
+OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler($errno, $errstr) {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+(--$c->a);
+var_dump($c->a);
+?>
+--EXPECT--
+NULL
--- a/Zend/tests/in-de-crement/oss-fuzz-61865_preinc_declared_property_unset_error_handler.phpt
+++ b/Zend/tests/in-de-crement/oss-fuzz-61865_preinc_declared_property_unset_error_handler.phpt
@@ -0,0 +1,18 @@
+--TEST--
+OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler($errno, $errstr) {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+(++$c->a);
+var_dump($c->a);
+?>
+--EXPECT--
+int(1)
--- a/Zend/tests/in-de-crement/unset_property_converted_to_obj_in_error_handler.phpt
+++ b/Zend/tests/in-de-crement/unset_property_converted_to_obj_in_error_handler.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Unset declared property converted to object in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler() {
+        $this->a = new stdClass();
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+
+try {
+    (++$c->a);
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+}
+var_dump($c->a);
+?>
+--EXPECT--
+Cannot increment stdClass
+object(stdClass)#2 (0) {
+}
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -1117,8 +1117,11 @@ ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *zobj, zend_string *nam
 							ZSTR_VAL(name));
 						retval = &EG(error_zval);
 					} else {
-						ZVAL_NULL(retval);
 						zend_error(E_WARNING, "Undefined property: %s::$%s", ZSTR_VAL(zobj->ce->name), ZSTR_VAL(name));
+						/* An error handler may set the property */
+						 if (EXPECTED(Z_TYPE_P(retval) == IS_UNDEF)) {
+							ZVAL_NULL(retval);
+						 }
 					}
 				} else if (prop_info && UNEXPECTED(prop_info->flags & ZEND_ACC_READONLY)) {
 					/* Readonly property, delegate to read_property + write_property. */