Fix oss-fuzz #60709 unseting op via globals

Girgias · Girgias · commit 44b1ac35c5a6 · 2023-07-21T18:08:58.000+01:00
It turns out not just NULL is affected nor -- but also on booleans and this also affects properties
diff --git a/Zend/tests/in-de-crement/oss-fuzz-60709_globals.phpt b/Zend/tests/in-de-crement/oss-fuzz-60709_globals.phpt
@@ -0,0 +1,37 @@
+--TEST--
+oss-fuzz #60709: Test
+--FILE--
+<?php
+set_error_handler(function($_, $m) {
+    echo "$m\n";
+    unset($GLOBALS['x']);
+});
+
+echo "POST DEC\n";
+var_dump($x--);
+unset($x);
+echo "POST INC\n";
+var_dump($x++);
+unset($x);
+echo "PRE DEC\n";
+var_dump(--$x);
+unset($x);
+echo "PRE INC\n";
+var_dump(++$x);
+?>
+--EXPECT--
+POST DEC
+Undefined variable $x
+Decrement on type null has no effect, this will change in the next major version of PHP
+NULL
+POST INC
+Undefined variable $x
+NULL
+PRE DEC
+Undefined variable $x
+Decrement on type null has no effect, this will change in the next major version of PHP
+Undefined variable $x
+NULL
+PRE INC
+Undefined variable $x
+int(1)
diff --git a/Zend/tests/in-de-crement/unset_globals_in_error_handler.phpt b/Zend/tests/in-de-crement/unset_globals_in_error_handler.phpt
@@ -0,0 +1,135 @@
+--TEST--
+Unset variable via $GLOBALS array in error_handler
+--FILE--
+<?php
+set_error_handler(function($_, $m) {
+    echo "$m\n";
+    unset($GLOBALS['x']);
+});
+echo "NULL (only --)\n";
+echo "POST DEC\n";
+$x = null;
+var_dump($x--);
+unset($x);
+echo "PRE DEC\n";
+$x = null;
+var_dump(--$x);
+unset($x);
+echo "Empty string\n";
+echo "POST INC\n";
+$x = "";
+var_dump($x++);
+unset($x);
+echo "POST DEC\n";
+$x = "";
+var_dump($x--);
+unset($x);
+echo "PRE INC\n";
+$x = "";
+var_dump(++$x);
+unset($x);
+echo "PRE DEC\n";
+$x = "";
+var_dump(--$x);
+unset($x);
+echo "Non fill ASCII (only ++)\n";
+echo "POST INC\n";
+$x = " ad ";
+var_dump($x++);
+unset($x);
+echo "PRE INC\n";
+$x = " ad ";
+var_dump(++$x);
+unset($x);
+echo "Bool\n";
+echo "POST INC\n";
+$x = false;
+var_dump($x++);
+unset($x);
+echo "POST DEC\n";
+$x = false;
+var_dump($x--);
+unset($x);
+echo "PRE INC\n";
+$x = false;
+var_dump(++$x);
+unset($x);
+echo "PRE DEC\n";
+$x = false;
+var_dump(--$x);
+unset($x);
+echo "POST INC\n";
+$x = true;
+var_dump($x++);
+unset($x);
+echo "POST DEC\n";
+$x = true;
+var_dump($x--);
+unset($x);
+echo "PRE INC\n";
+$x = true;
+var_dump(++$x);
+unset($x);
+echo "PRE DEC\n";
+$x = true;
+var_dump(--$x);
+unset($x);
+?>
+--EXPECT--
+NULL (only --)
+POST DEC
+Decrement on type null has no effect, this will change in the next major version of PHP
+NULL
+PRE DEC
+Decrement on type null has no effect, this will change in the next major version of PHP
+Undefined variable $x
+NULL
+Empty string
+POST INC
+Increment on non-alphanumeric string is deprecated
+string(0) ""
+POST DEC
+Decrement on empty string is deprecated as non-numeric
+string(0) ""
+PRE INC
+Increment on non-alphanumeric string is deprecated
+string(1) "1"
+PRE DEC
+Decrement on empty string is deprecated as non-numeric
+int(-1)
+Non fill ASCII (only ++)
+POST INC
+Increment on non-alphanumeric string is deprecated
+string(4) " ad "
+PRE INC
+Increment on non-alphanumeric string is deprecated
+string(4) " ad "
+Bool
+POST INC
+Increment on type bool has no effect, this will change in the next major version of PHP
+bool(false)
+POST DEC
+Decrement on type bool has no effect, this will change in the next major version of PHP
+bool(false)
+PRE INC
+Increment on type bool has no effect, this will change in the next major version of PHP
+Undefined variable $x
+NULL
+PRE DEC
+Decrement on type bool has no effect, this will change in the next major version of PHP
+Undefined variable $x
+NULL
+POST INC
+Increment on type bool has no effect, this will change in the next major version of PHP
+bool(true)
+POST DEC
+Decrement on type bool has no effect, this will change in the next major version of PHP
+bool(true)
+PRE INC
+Increment on type bool has no effect, this will change in the next major version of PHP
+Undefined variable $x
+NULL
+PRE DEC
+Decrement on type bool has no effect, this will change in the next major version of PHP
+Undefined variable $x
+NULL
diff --git a/Zend/tests/in-de-crement/unset_object_property_in_error_handler.phpt b/Zend/tests/in-de-crement/unset_object_property_in_error_handler.phpt
@@ -0,0 +1,143 @@
+--TEST--
+Unset property via error_handler
+--FILE--
+<?php
+class C {
+    public $a;
+
+    public function errorHandler($errno, $errstr) {
+        var_dump($errstr);
+        unset($this->a);
+    }
+}
+
+$c = new C;
+set_error_handler([$c, 'errorHandler']);
+
+/* default property value */
+var_dump(--$c->a);
+
+echo "NULL (only --)\n";
+echo "POST DEC\n";
+$c->a = null;
+var_dump($c->a--);
+unset($c->a);
+echo "PRE DEC\n";
+$c->a = null;
+var_dump(--$c->a);
+unset($c->a);
+echo "Empty string\n";
+echo "POST INC\n";
+$c->a = "";
+var_dump($c->a++);
+unset($c->a);
+echo "POST DEC\n";
+$c->a = "";
+var_dump($c->a--);
+unset($c->a);
+echo "PRE INC\n";
+$c->a = "";
+var_dump(++$c->a);
+unset($c->a);
+echo "PRE DEC\n";
+$c->a = "";
+var_dump(--$c->a);
+unset($c->a);
+echo "Non fill ASCII (only ++)\n";
+echo "POST INC\n";
+$c->a = " ad ";
+var_dump($c->a++);
+unset($c->a);
+echo "PRE INC\n";
+$c->a = " ad ";
+var_dump(++$c->a);
+unset($c->a);
+echo "Bool\n";
+echo "POST INC\n";
+$c->a = false;
+var_dump($c->a++);
+unset($c->a);
+echo "POST DEC\n";
+$c->a = false;
+var_dump($c->a--);
+unset($c->a);
+echo "PRE INC\n";
+$c->a = false;
+var_dump(++$c->a);
+unset($c->a);
+echo "PRE DEC\n";
+$c->a = false;
+var_dump(--$c->a);
+unset($c->a);
+echo "POST INC\n";
+$c->a = true;
+var_dump($c->a++);
+unset($c->a);
+echo "POST DEC\n";
+$c->a = true;
+var_dump($c->a--);
+unset($c->a);
+echo "PRE INC\n";
+$c->a = true;
+var_dump(++$c->a);
+unset($c->a);
+echo "PRE DEC\n";
+$c->a = true;
+var_dump(--$c->a);
+unset($c->a);
+?>
+--EXPECT--
+string(87) "Decrement on type null has no effect, this will change in the next major version of PHP"
+NULL
+NULL (only --)
+POST DEC
+string(87) "Decrement on type null has no effect, this will change in the next major version of PHP"
+NULL
+PRE DEC
+string(87) "Decrement on type null has no effect, this will change in the next major version of PHP"
+NULL
+Empty string
+POST INC
+string(50) "Increment on non-alphanumeric string is deprecated"
+string(0) ""
+POST DEC
+string(54) "Decrement on empty string is deprecated as non-numeric"
+string(0) ""
+PRE INC
+string(50) "Increment on non-alphanumeric string is deprecated"
+string(1) "1"
+PRE DEC
+string(54) "Decrement on empty string is deprecated as non-numeric"
+int(-1)
+Non fill ASCII (only ++)
+POST INC
+string(50) "Increment on non-alphanumeric string is deprecated"
+string(4) " ad "
+PRE INC
+string(50) "Increment on non-alphanumeric string is deprecated"
+string(4) " ad "
+Bool
+POST INC
+string(87) "Increment on type bool has no effect, this will change in the next major version of PHP"
+bool(false)
+POST DEC
+string(87) "Decrement on type bool has no effect, this will change in the next major version of PHP"
+bool(false)
+PRE INC
+string(87) "Increment on type bool has no effect, this will change in the next major version of PHP"
+NULL
+PRE DEC
+string(87) "Decrement on type bool has no effect, this will change in the next major version of PHP"
+NULL
+POST INC
+string(87) "Increment on type bool has no effect, this will change in the next major version of PHP"
+bool(true)
+POST DEC
+string(87) "Decrement on type bool has no effect, this will change in the next major version of PHP"
+bool(true)
+PRE INC
+string(87) "Increment on type bool has no effect, this will change in the next major version of PHP"
+NULL
+PRE DEC
+string(87) "Decrement on type bool has no effect, this will change in the next major version of PHP"
+NULL
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -2022,6 +2022,10 @@ static void zend_pre_incdec_property_zval(zval *prop, zend_property_info *prop_i
 		} while (0);
 	}
 	if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
+		/* Error handler can mess up properties and unset it */
+		if (UNEXPECTED(Z_TYPE_P(prop) == IS_UNDEF)) {
+			ZVAL_NULL(prop);
+		}
 		ZVAL_COPY(EX_VAR(opline->result.var), prop);
 	}
 }
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -1509,6 +1509,14 @@ ZEND_VM_HELPER(zend_pre_inc_helper, VAR|CV, ANY)
 	} while (0);
 
 	if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
+		/* Error handler can mess up globals and unset it */
+		if (UNEXPECTED(Z_TYPE_P(var_ptr) == IS_UNDEF)) {
+			ZVAL_UNDEFINED_OP1();
+			if (UNEXPECTED(EG(exception))) {
+				HANDLE_EXCEPTION();
+			}
+			ZVAL_NULL(var_ptr);
+		}
 		ZVAL_COPY(EX_VAR(opline->result.var), var_ptr);
 	}
 
@@ -1567,6 +1575,14 @@ ZEND_VM_HELPER(zend_pre_dec_helper, VAR|CV, ANY)
 	} while (0);
 
 	if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
+		/* Error handler can mess up globals and unset it */
+		if (UNEXPECTED(Z_TYPE_P(var_ptr) == IS_UNDEF)) {
+			ZVAL_UNDEFINED_OP1();
+			if (UNEXPECTED(EG(exception))) {
+				HANDLE_EXCEPTION();
+			}
+			ZVAL_NULL(var_ptr);
+		}
 		ZVAL_COPY(EX_VAR(opline->result.var), var_ptr);
 	}
 
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h

Original file line number	Diff line number	Diff line change
`@@ -2022,6 +2022,10 @@ static void zend_pre_incdec_property_zval(zval prop, zend_property_info prop_i`
`2022`	`2022`	`} while (0);`
`2023`	`2023`	`}`
`2024`	`2024`	`if (UNEXPECTED(RETURN_VALUE_USED(opline))) {`
	`2025`	`+ /* Error handler can mess up properties and unset it */`
	`2026`	`+ if (UNEXPECTED(Z_TYPE_P(prop) == IS_UNDEF)) {`
	`2027`	`+ ZVAL_NULL(prop);`
	`2028`	`+ }`
`2025`	`2029`	`ZVAL_COPY(EX_VAR(opline->result.var), prop);`
`2026`	`2030`	`}`
`2027`	`2031`	`}`