Fix type narrowing warning during type inference of ZEND_FETCH_DIM_W

Fixes oss-fuzz #45820
php · Apr 25, 2022 · 8286de2 · 8286de2
1 parent a74b865
commit 8286de2
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c
@@ -3294,11 +3294,12 @@ static zend_always_inline int _zend_update_type_info(
 						ZEND_ASSERT(j < 0 && "There should only be one use");
 					}
 				}
-				if ((tmp & MAY_BE_ARRAY) && (tmp & MAY_BE_ARRAY_KEY_ANY)) {
+				if (((tmp & MAY_BE_ARRAY) && (tmp & MAY_BE_ARRAY_KEY_ANY)) || opline->opcode == ZEND_FETCH_DIM_FUNC_ARG) {
 					UPDATE_SSA_TYPE(tmp, ssa_op->op1_def);
 				} else {
 					/* invalid key type */
-					tmp = (tmp & (MAY_BE_RC1|MAY_BE_RCN)) | (t1 & ~(MAY_BE_RC1|MAY_BE_RCN));
+					tmp = (tmp & (MAY_BE_RC1|MAY_BE_RCN|MAY_BE_ARRAY)) |
+						(t1 & ~(MAY_BE_RC1|MAY_BE_RCN|MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE));
 					UPDATE_SSA_TYPE(tmp, ssa_op->op1_def);
 				}
 				COPY_SSA_OBJ_TYPE(ssa_op->op1_use, ssa_op->op1_def);

diff --git a/ext/opcache/tests/opt/inference_004.phpt b/ext/opcache/tests/opt/inference_004.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Type inference 004: Type narrowing warning during type inference of ZEND_FETCH_DIM_W
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--FILE--
+<?php
+function y() {
+    for(;;){
+        $arr[]->y = c;
+        $arr = c;
+    }
+}
+?>
+DONE
+--EXPECT--
+DONE