JIT: Fix uninitialized result of ASSIGN_DIM[_OP] after clobbering array by user error handler

dstogov · dstogov · commit 6e1fe9696238 · 2021-11-30T11:40:18.000+03:00
Fixes oss-fuzz #41208
diff --git a/ext/opcache/jit/zend_jit_helpers.c b/ext/opcache/jit/zend_jit_helpers.c
@@ -673,6 +673,8 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_rw_helper(zend_array *ht, zval *di
 	zend_ulong hval;
 	zend_string *offset_key;
 	zval *retval;
+	zend_execute_data *execute_data;
+	const zend_op *opline;
 
 	if (Z_TYPE_P(dim) == IS_REFERENCE) {
 		dim = Z_REFVAL_P(dim);
@@ -686,9 +688,15 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_rw_helper(zend_array *ht, zval *di
 			offset_key = Z_STR_P(dim);
 			goto str_index;
 		case IS_UNDEF:
-			if (!zend_jit_undefined_op_helper_write(ht, EG(current_execute_data)->opline->op2.var)) {
-				if (EG(exception)) {
-					undef_result_after_exception();
+			execute_data = EG(current_execute_data);
+			opline = EX(opline);
+			if (!zend_jit_undefined_op_helper_write(ht, opline->op2.var)) {
+				if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
+					if (EG(exception)) {
+						ZVAL_UNDEF(EX_VAR(opline->result.var));
+					} else {
+						ZVAL_NULL(EX_VAR(opline->result.var));
+					}
 				}
 				return NULL;
 			}
@@ -760,6 +768,8 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_w_helper(zend_array *ht, zval *dim
 	zend_ulong hval;
 	zend_string *offset_key;
 	zval *retval;
+	zend_execute_data *execute_data;
+	const zend_op *opline;
 
 	if (Z_TYPE_P(dim) == IS_REFERENCE) {
 		dim = Z_REFVAL_P(dim);
@@ -773,9 +783,15 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_w_helper(zend_array *ht, zval *dim
 			offset_key = Z_STR_P(dim);
 			goto str_index;
 		case IS_UNDEF:
-			if (!zend_jit_undefined_op_helper_write(ht, EG(current_execute_data)->opline->op2.var)) {
-				if (EG(exception)) {
-					undef_result_after_exception();
+			execute_data = EG(current_execute_data);
+			opline = EX(opline);
+			if (!zend_jit_undefined_op_helper_write(ht, opline->op2.var)) {
+				if (opline->result_type & (IS_VAR | IS_TMP_VAR)) {
+					if (EG(exception)) {
+						ZVAL_UNDEF(EX_VAR(opline->result.var));
+					} else {
+						ZVAL_NULL(EX_VAR(opline->result.var));
+					}
 				}
 				return NULL;
 			}
diff --git a/ext/opcache/tests/jit/assign_dim_005.phpt b/ext/opcache/tests/jit/assign_dim_005.phpt
@@ -0,0 +1,22 @@
+--TEST--
+JIT ASSIGN_DIM: 005
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+set_error_handler(function ($code, $msg) {
+	echo "Error: $msg\n";
+    $GLOBALS['a'] = null;
+});
+
+$a[$c] =                                                                                                                                    
+$a[$c] = 'x' ;
+var_dump($a);
+?>
+--EXPECT--
+Error: Undefined variable $c
+Error: Undefined variable $c
+NULL
