From 3187692469894fc6b597f4e94b25748ba5194d51 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <ilia@ilia.ws>
Date: Thu, 21 May 2026 17:37:02 -0400
Subject: [PATCH] Fix GH-22112: assertion when error handler throws during NaN
 coercion

zend_parse_arg_bool_weak and zend_parse_arg_str_weak could return success
with EG(exception) already set, because zend_is_true and convert_to_string
emit the NaN coercion warning without checking whether the user error
handler threw. Recv-arg verification for a userland function then took
the no-check ZEND_VM_NEXT_OPCODE branch, aborting on
ZEND_ASSERT(!EG(exception)). Mirror the existing check in
zend_parse_arg_long_weak and propagate failure when the warning leaves
an exception pending.

Fixes GH-22112
---
 Zend/tests/type_coercion/gh22112.phpt | 35 +++++++++++++++++++++++++++
 Zend/zend_API.c                       |  9 ++++++-
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/type_coercion/gh22112.phpt

diff --git a/Zend/tests/type_coercion/gh22112.phpt b/Zend/tests/type_coercion/gh22112.phpt
new file mode 100644
index 000000000000..864f5313055b
--- /dev/null
+++ b/Zend/tests/type_coercion/gh22112.phpt
@@ -0,0 +1,35 @@
+--TEST--
+GH-22112 (Assertion failure when error handler throws during NaN to bool/string coercion at function entry)
+--FILE--
+<?php
+
+set_error_handler(function ($errno, $errstr) {
+    throw new RuntimeException($errstr);
+});
+
+function take_bool(bool $v) {
+    echo "take_bool entered\n";
+}
+
+function take_string(string $v) {
+    echo "take_string entered\n";
+}
+
+$nan = fdiv(0, 0);
+
+try {
+    take_bool($nan);
+} catch (RuntimeException $e) {
+    echo "bool: ", $e->getMessage(), "\n";
+}
+
+try {
+    take_string($nan);
+} catch (RuntimeException $e) {
+    echo "string: ", $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+bool: unexpected NAN value was coerced to bool
+string: unexpected NAN value was coerced to string
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index 65834adbafff..3063dbb71801 100644
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -515,7 +515,11 @@ ZEND_API zpp_parse_bool_status ZEND_FASTCALL zend_parse_arg_bool_weak(const zval
 		if (UNEXPECTED(Z_TYPE_P(arg) == IS_NULL) && !zend_null_arg_deprecated("bool", arg_num)) {
 			return ZPP_PARSE_BOOL_STATUS_ERROR;
 		}
-		return zend_is_true(arg);
+		zpp_parse_bool_status result = (zpp_parse_bool_status) zend_is_true(arg);
+		if (UNEXPECTED(EG(exception))) {
+			return ZPP_PARSE_BOOL_STATUS_ERROR;
+		}
+		return result;
 	}
 	return ZPP_PARSE_BOOL_STATUS_ERROR;
 }
@@ -735,6 +739,9 @@ ZEND_API zend_string* ZEND_FASTCALL zend_parse_arg_str_weak(zval *arg, uint32_t
 			return NULL;
 		}
 		convert_to_string(arg);
+		if (UNEXPECTED(EG(exception))) {
+			return NULL;
+		}
 		return Z_STR_P(arg);
 	} else if (UNEXPECTED(Z_TYPE_P(arg) == IS_OBJECT)) {
 		zend_object *zobj = Z_OBJ_P(arg);