Fix type inference

Use MAY_BE_NULL result (insted of empty) for ASSIGN_DIM with invalid arguments This fixes oss-fuzz #46840
php · Apr 25, 2022 · 3e78964 · 3e78964
1 parent 8286de2
commit 3e78964
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c
@@ -2639,6 +2639,9 @@ static zend_always_inline int _zend_update_type_info(
 						tmp |= MAY_BE_NULL|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_LONG|MAY_BE_DOUBLE|MAY_BE_STRING;
 					}
 				}
+				if (!tmp) {
+					tmp = MAY_BE_NULL;
+				}
 				tmp |= MAY_BE_RC1 | MAY_BE_RCN;
 				UPDATE_SSA_TYPE(tmp, ssa_op->result_def);
 			}

diff --git a/ext/opcache/tests/opt/inference_005.phpt b/ext/opcache/tests/opt/inference_005.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Type inference 005: Use MAY_BE_NULL result (insted of empty) for ASSIGN_DIM with invalid arguments
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--FILE--
+<?php
+function foo() {
+    $a = $r[] = $r = [] & $y;
+    +list(&$y) = $a;
+}
+?>
+DONE
+--EXPECT--
+DONE