Fix zend_jit_undefined_long_key overwriting dim when dim == result

Fixes oss-fuzz #64727
Closes GH-12900

Author: iluuu1994

NEWS

@@ -6,6 +6,10 @@ PHP                                                                        NEWS
   . Fix incorrect timeout in built-in web server when using router script and
     max_input_time. (ilutov)
 
+- Opcache:
+  . Fixed oss-fuzz #64727 (JIT undefined array key warning may overwrite DIM
+    with NULL when DIM is the same var as result). (ilutov)
+
 21 Dec 2023, PHP 8.2.14
 
 - Core:

ext/opcache/jit/zend_jit_vm_helpers.c

@@ -205,14 +205,14 @@ void ZEND_FASTCALL zend_jit_undefined_long_key(EXECUTE_DATA_D)
 	zval *result = EX_VAR(opline->result.var);
 	zval *dim;
 
-	ZVAL_NULL(result);
 	if (opline->op2_type == IS_CONST) {
 		dim = RT_CONSTANT(opline, opline->op2);
 	} else {
 		dim = EX_VAR(opline->op2.var);
 	}
 	ZEND_ASSERT(Z_TYPE_P(dim) == IS_LONG);
 	zend_error(E_WARNING, "Undefined array key " ZEND_LONG_FMT, Z_LVAL_P(dim));
+	ZVAL_NULL(result);
 }
 
 void ZEND_FASTCALL zend_jit_undefined_string_key(EXECUTE_DATA_D)
@@ -222,7 +222,6 @@ void ZEND_FASTCALL zend_jit_undefined_string_key(EXECUTE_DATA_D)
 	zval *dim;
 	zend_ulong lval;
 
-	ZVAL_NULL(result);
 	if (opline->op2_type == IS_CONST) {
 		dim = RT_CONSTANT(opline, opline->op2);
 	} else {
@@ -234,6 +233,7 @@ void ZEND_FASTCALL zend_jit_undefined_string_key(EXECUTE_DATA_D)
 	} else {
 		zend_error(E_WARNING, "Undefined array key \"%s\"", Z_STRVAL_P(dim));
 	}
+	ZVAL_NULL(result);
 }
 
 ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_profile_helper(ZEND_OPCODE_HANDLER_ARGS)

ext/opcache/tests/jit/oss-fuzz-64727.phpt

@@ -0,0 +1,27 @@
+--TEST--
+oss-fuzz #64727
+--INI--
+opcache.enable_cli=1
+opcache.jit_buffer_size=64M
+opcache.jit=function
+--EXTENSIONS--
+opcache
+--FILE--
+<?php
+function test(){
+    $a = null;
+    $b = null;
+    for($i = 0; $i < 2; $i++){
+        $a = $a + $b;
+        var_dump($a);
+        $a = @[3][$a];
+        var_dump($a);
+    }
+}
+test();
+?>
+--EXPECT--
+int(0)
+int(3)
+int(3)
+NULL