Fix OP1 leak in error path of post inc/dec

Fixes oss-fuzz #63802 Closes GH-12599
2026-03-24 00:02:20 +01:00 · 2023-11-02 16:54:23 +01:00
parent 83bbea7c5b
commit ddabe89add
4 changed files with 35 additions and 18 deletions
--- a/1
+++ b/1
@@ -12,6 +12,7 @@ PHP                                                                        NEWS
  . Fixed max_execution_time: don't delete an unitialized timer. (Kévin Dunglas)
  . Fixed bug GH-12558 (Arginfo soft-breaks with namespaced class return type
    if the class name starts with N). (kocsismate)
+  . Fixed oss-fuzz #63802 (OP1 leak in error path of post inc/dec). (ilutov)

 - DOM:
  . Fix registerNodeClass with abstract class crashing. (nielsdos)
--- a/Zend/tests/oss_fuzz_63802.phpt
+++ b/Zend/tests/oss_fuzz_63802.phpt
@@ -0,0 +1,34 @@
+--TEST--
+oss-fuzz #63802: OP1 leak in error path of post inc/dec
+--FILE--
+<?php
+class Foo {
+    public function preInc() {
+        ++$this > 42;
+    }
+    public function preDec() {
+        --$this > 42;
+    }
+    public function postInc() {
+        $this++ > 42;
+    }
+    public function postDec() {
+        $this-- > 42;
+    }
+}
+$foo = new Foo();
+foreach (['pre', 'post'] as $prePost) {
+    foreach (['inc', 'dec'] as $incDec) {
+        try {
+            $foo->{$prePost . ucfirst($incDec)}();
+        } catch (TypeError $e) {
+            echo $e->getMessage(), "\n";
+        }
+    }
+}
+?>
+--EXPECT--
+Cannot increment Foo
+Cannot decrement Foo
+Cannot increment Foo
+Cannot decrement Foo
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1606,9 +1606,6 @@ ZEND_VM_HELPER(zend_post_inc_helper, VAR|CV, ANY)
 		ZVAL_COPY(EX_VAR(opline->result.var), var_ptr);

 		increment_function(var_ptr);
-		if (UNEXPECTED(EG(exception))) {
-			HANDLE_EXCEPTION();
-		}
 	} while (0);

 	FREE_OP1();
@@ -1657,9 +1654,6 @@ ZEND_VM_HELPER(zend_post_dec_helper, VAR|CV, ANY)
 		ZVAL_COPY(EX_VAR(opline->result.var), var_ptr);

 		decrement_function(var_ptr);
-		if (UNEXPECTED(EG(exception))) {
-			HANDLE_EXCEPTION();
-		}
 	} while (0);

 	FREE_OP1();
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -21782,9 +21782,6 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_inc_hel
 		ZVAL_COPY(EX_VAR(opline->result.var), var_ptr);

 		increment_function(var_ptr);
-		if (UNEXPECTED(EG(exception))) {
-			HANDLE_EXCEPTION();
-		}
 	} while (0);

 	zval_ptr_dtor_nogc(EX_VAR(opline->op1.var));
@@ -21833,9 +21830,6 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_dec_hel
 		ZVAL_COPY(EX_VAR(opline->result.var), var_ptr);

 		decrement_function(var_ptr);
-		if (UNEXPECTED(EG(exception))) {
-			HANDLE_EXCEPTION();
-		}
 	} while (0);

 	zval_ptr_dtor_nogc(EX_VAR(opline->op1.var));
@@ -39149,9 +39143,6 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_inc_hel
 		ZVAL_COPY(EX_VAR(opline->result.var), var_ptr);

 		increment_function(var_ptr);
-		if (UNEXPECTED(EG(exception))) {
-			HANDLE_EXCEPTION();
-		}
 	} while (0);

 	ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
@@ -39199,9 +39190,6 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_dec_hel
 		ZVAL_COPY(EX_VAR(opline->result.var), var_ptr);

 		decrement_function(var_ptr);
-		if (UNEXPECTED(EG(exception))) {
-			HANDLE_EXCEPTION();
-		}
 	} while (0);

 	ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();