Detect self-addition of array more accurately

nikic · nikic · commit 3c4dd73c023e · 2020-10-12T11:24:31.000+02:00
While the zvals may be different, they may still point to the
same array.

Fixes oss-fuzz #26245.
diff --git a/Zend/tests/array_self_add_globals.phpt b/Zend/tests/array_self_add_globals.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Add $GLOBALS to itself
+--FILE--
+<?php
+$GLOBALS += $GLOBALS;
+$x = $GLOBALS + $GLOBALS;
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
@@ -903,7 +903,7 @@ ZEND_API zend_string* ZEND_FASTCALL zval_get_string_func(zval *op) /* {{{ */
 
 static zend_never_inline void ZEND_FASTCALL add_function_array(zval *result, zval *op1, zval *op2) /* {{{ */
 {
-	if ((result == op1) && (result == op2)) {
+	if (result == op1 && Z_ARR_P(op1) == Z_ARR_P(op2)) {
 		/* $a += $a */
 		return;
 	}

Original file line number	Diff line number	Diff line change
`@@ -903,7 +903,7 @@ ZEND_API zend_string* ZEND_FASTCALL zval_get_string_func(zval op) / {{{ */`
`903`	`903`
`904`	`904`	`static zend_never_inline void ZEND_FASTCALL add_function_array(zval result, zval op1, zval op2) / {{{ */`
`905`	`905`	`{`
`906`		`- if ((result == op1) && (result == op2)) {`
	`906`	`+ if (result == op1 && Z_ARR_P(op1) == Z_ARR_P(op2)) {`
`907`	`907`	`/* $a += $a */`
`908`	`908`	`return;`
`909`	`909`	`}`