Handle FETCH_DIM_R after FETCH_DIM_FUNC_ARG in inference

This can happen if a call is optimized, but FETCH_DIM_FUNC_ARG cannot be converted to FETCH_DIM_R because it uses an UNUSED op2, which is not supported by FETCH_DIM_R. Fixes oss-fuzz 6144185837682688.
php · Nov 1, 2021 · 2e29817 · 2e29817
1 parent f8ec5a1
commit 2e29817
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/Zend/tests/func_arg_fetch_optimization.phpt b/Zend/tests/func_arg_fetch_optimization.phpt
@@ -0,0 +1,15 @@
+--TEST--
+FETCH_DIM_FUNC_ARG that cannot be optimized to FETCH_DIM_R because it appends
+--FILE--
+<?php
+function test($x) {
+    test($x[][$y]);
+}
+try {
+    test([]);
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Cannot use [] for reading
diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c
@@ -3389,6 +3389,7 @@ static zend_always_inline int _zend_update_type_info(
 								 * is already an object. */
 								break;
 							case ZEND_SEND_VAR:
+							case ZEND_FETCH_DIM_R:
 								/* This can occur if a DIM_FETCH_FUNC_ARG with UNUSED op2 is left
 								 * behind, because it can't be converted to DIM_FETCH_R. */
 								break;