Fix constant update for shadowed private property

Updating based on the properties info HT will miss private parent
properties that have been shadowed in the child class. Instead,
perform updating directly on the default properties table.

We can't do the same for static properties, because those don't
have a convenient way to look up the property type from the
property offset. However, I don't believe the problem exists for
static properties, because we're always going to be using the
property on the class it was declared on, while children only hold
INDIRECT references. As such, this should be covered by parent
class const updating.

Fixes oss-fuzz #35906.

Author: nikic

Zend/tests/update_consts_shadowed_private_prop.phpt

@@ -0,0 +1,22 @@
+--TEST--
+Constant updating for shadowed private property
+--FILE--
+<?php
+class Foo {
+    private $prop = X;
+    function test() {
+        var_dump($this->prop);
+    }
+}
+
+class Bar extends Foo {
+    protected $prop;
+}
+
+define('X', 1);
+$bar = new Bar;
+$bar->test();
+
+?>
+--EXPECT--
+int(1)

Zend/zend_API.c

@@ -1213,6 +1213,27 @@ ZEND_API void zend_merge_properties(zval *obj, HashTable *properties) /* {{{ */
 }
 /* }}} */
 
+static zend_result update_property(zval *val, zend_property_info *prop_info) {
+	if (ZEND_TYPE_IS_SET(prop_info->type)) {
+		zval tmp;
+
+		ZVAL_COPY(&tmp, val);
+		if (UNEXPECTED(zval_update_constant_ex(&tmp, prop_info->ce) != SUCCESS)) {
+			zval_ptr_dtor(&tmp);
+			return FAILURE;
+		}
+		/* property initializers must always be evaluated with strict types */;
+		if (UNEXPECTED(!zend_verify_property_type(prop_info, &tmp, /* strict */ 1))) {
+			zval_ptr_dtor(&tmp);
+			return FAILURE;
+		}
+		zval_ptr_dtor(val);
+		ZVAL_COPY_VALUE(val, &tmp);
+		return SUCCESS;
+	}
+	return zval_update_constant_ex(val, prop_info->ce);
+}
+
 ZEND_API zend_result zend_update_class_constants(zend_class_entry *class_type) /* {{{ */
 {
 	if (!(class_type->ce_flags & ZEND_ACC_CONSTANTS_UPDATED)) {
@@ -1241,33 +1262,28 @@ ZEND_API zend_result zend_update_class_constants(zend_class_entry *class_type) /
 			}
 		}
 
-		ZEND_HASH_FOREACH_PTR(&class_type->properties_info, prop_info) {
-			if (prop_info->flags & ZEND_ACC_STATIC) {
-				val = CE_STATIC_MEMBERS(class_type) + prop_info->offset;
-			} else {
-				val = (zval*)((char*)class_type->default_properties_table + prop_info->offset - OBJ_PROP_TO_OFFSET(0));
+		/* Use the default properties table to also update initializers of private properties
+		 * that have been shadowed in a child class. */
+		for (uint32_t i = 0; i < class_type->default_properties_count; i++) {
+			val = &class_type->default_properties_table[i];
+			prop_info = class_type->properties_info_table[i];
+			if (Z_TYPE_P(val) == IS_CONSTANT_AST
+					&& UNEXPECTED(update_property(val, prop_info) != SUCCESS)) {
+				return FAILURE;
 			}
-			if (Z_TYPE_P(val) == IS_CONSTANT_AST) {
-				if (ZEND_TYPE_IS_SET(prop_info->type)) {
-					zval tmp;
+		}
 
-					ZVAL_COPY(&tmp, val);
-					if (UNEXPECTED(zval_update_constant_ex(&tmp, prop_info->ce) != SUCCESS)) {
-						zval_ptr_dtor(&tmp);
-						return FAILURE;
-					}
-					/* property initializers must always be evaluated with strict types */;
-					if (UNEXPECTED(!zend_verify_property_type(prop_info, &tmp, /* strict */ 1))) {
-						zval_ptr_dtor(&tmp);
+		if (class_type->default_static_members_count) {
+			ZEND_HASH_FOREACH_PTR(&class_type->properties_info, prop_info) {
+				if (prop_info->flags & ZEND_ACC_STATIC) {
+					val = CE_STATIC_MEMBERS(class_type) + prop_info->offset;
+					if (Z_TYPE_P(val) == IS_CONSTANT_AST
+							&& UNEXPECTED(update_property(val, prop_info) != SUCCESS)) {
 						return FAILURE;
 					}
-					zval_ptr_dtor(val);
-					ZVAL_COPY_VALUE(val, &tmp);
-				} else if (UNEXPECTED(zval_update_constant_ex(val, prop_info->ce) != SUCCESS)) {
-					return FAILURE;
 				}
-			}
-		} ZEND_HASH_FOREACH_END();
+			} ZEND_HASH_FOREACH_END();
+		}
 
 		class_type->ce_flags |= ZEND_ACC_CONSTANTS_UPDATED;
 	}