Fix OSS Fuzz #61865: Undef variable in ++/-- for declared property th…

…at is unset in error handler Reorder when we assign the property value to NULL which is identical to a3a3964 Just for the declared property case instead of dynamic. Closes GH-12114
php · Sep 5, 2023 · 8a392ed · 8a392ed
1 parent d7273c5
commit 8a392ed
Show file tree

Hide file tree

Showing 8 changed files with 125 additions and 1 deletion.
diff --git a/NEWS b/NEWS
@@ -10,6 +10,8 @@ PHP                                                                        NEWS
     closures). (ilutov)
   . Fixed bug GH-12060 (Internal iterator rewind handler is called twice).
     (ju1ius)
+  . Fixed OSS Fuzz #61865 (Undef variable in ++/-- for declared property
+    that is unset in error handler). (Girgias)
 
 
 - FPM:

diff --git a/Zend/tests/in-de-crement/oss-fuzz-61865_binop_declared_property_unset_error_handler.phpt b/Zend/tests/in-de-crement/oss-fuzz-61865_binop_declared_property_unset_error_handler.phpt
@@ -0,0 +1,18 @@
+--TEST--
+OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler($errno, $errstr) {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+$c->a += 5;
+var_dump($c->a);
+?>
+--EXPECT--
+int(5)
diff --git a/Zend/tests/in-de-crement/oss-fuzz-61865_postdec_declared_property_unset_error_handler.phpt b/Zend/tests/in-de-crement/oss-fuzz-61865_postdec_declared_property_unset_error_handler.phpt
@@ -0,0 +1,20 @@
+--TEST--
+OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler($errno, $errstr) {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+$v = ($c->a--);
+var_dump($c->a);
+var_dump($v);
+?>
+--EXPECT--
+NULL
+NULL
diff --git a/Zend/tests/in-de-crement/oss-fuzz-61865_postinc_declared_property_unset_error_handler.phpt b/Zend/tests/in-de-crement/oss-fuzz-61865_postinc_declared_property_unset_error_handler.phpt
@@ -0,0 +1,20 @@
+--TEST--
+OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler($errno, $errstr) {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+$v = ($c->a++);
+var_dump($c->a);
+var_dump($v);
+?>
+--EXPECT--
+int(1)
+NULL
diff --git a/Zend/tests/in-de-crement/oss-fuzz-61865_predec_declared_property_unset_error_handler.phpt b/Zend/tests/in-de-crement/oss-fuzz-61865_predec_declared_property_unset_error_handler.phpt
@@ -0,0 +1,18 @@
+--TEST--
+OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler($errno, $errstr) {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+(--$c->a);
+var_dump($c->a);
+?>
+--EXPECT--
+NULL
diff --git a/Zend/tests/in-de-crement/oss-fuzz-61865_preinc_declared_property_unset_error_handler.phpt b/Zend/tests/in-de-crement/oss-fuzz-61865_preinc_declared_property_unset_error_handler.phpt
@@ -0,0 +1,18 @@
+--TEST--
+OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler($errno, $errstr) {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+(++$c->a);
+var_dump($c->a);
+?>
+--EXPECT--
+int(1)
diff --git a/Zend/tests/in-de-crement/unset_property_converted_to_obj_in_error_handler.phpt b/Zend/tests/in-de-crement/unset_property_converted_to_obj_in_error_handler.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Unset declared property converted to object in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler() {
+        $this->a = new stdClass();
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+
+try {
+    (++$c->a);
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+}
+var_dump($c->a);
+?>
+--EXPECT--
+Cannot increment stdClass
+object(stdClass)#2 (0) {
+}
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -1117,8 +1117,11 @@ ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *zobj, zend_string *nam
 							ZSTR_VAL(name));
 						retval = &EG(error_zval);
 					} else {
-						ZVAL_NULL(retval);
 						zend_error(E_WARNING, "Undefined property: %s::$%s", ZSTR_VAL(zobj->ce->name), ZSTR_VAL(name));
+						/* An error handler may set the property */
+						 if (EXPECTED(Z_TYPE_P(retval) == IS_UNDEF)) {
+							ZVAL_NULL(retval);
+						 }
 					}
 				} else if (prop_info && UNEXPECTED(prop_info->flags & ZEND_ACC_READONLY)) {
 					/* Readonly property, delegate to read_property + write_property. */