Fix bug #81611

camporter · nikic · commit 812df2bd8a95 · 2021-11-16T14:40:06.000+01:00
Add zend_fetch_class_with_scope() which accepts a scope to use for self/parent, and use that during constant expression evaluation. Closes GH-7649.
diff --git a/NEWS b/NEWS
@@ -6,6 +6,10 @@ PHP                                                                        NEWS
   . Fixed bug #81513 (Future possibility for heap overflow in FPM zlog).
     (Jakub Zelenka)
 
+- Reflection:
+  . Fixed bug #81611 (ArgumentCountError when getting default value from
+    ReflectionParameter with new). (Cameron Porter)
+
 - XML:
   . Fixed bug #79971 (special character is breaking the path in xml function).
     (CVE-2021-21707) (cmb)
diff --git a/Zend/zend_ast.c b/Zend/zend_ast.c
@@ -482,7 +482,7 @@ static zend_result zend_ast_add_unpacked_element(zval *result, zval *expr) {
 
 zend_class_entry *zend_ast_fetch_class(zend_ast *ast, zend_class_entry *scope)
 {
-	return zend_fetch_class(zend_ast_get_str(ast), ast->attr | ZEND_FETCH_CLASS_EXCEPTION);
+	return zend_fetch_class_with_scope(zend_ast_get_str(ast), ast->attr | ZEND_FETCH_CLASS_EXCEPTION, scope);
 }
 
 ZEND_API zend_result ZEND_FASTCALL zend_ast_evaluate(zval *result, zend_ast *ast, zend_class_entry *scope)
diff --git a/Zend/zend_execute.h b/Zend/zend_execute.h
@@ -349,6 +349,7 @@ ZEND_API void zend_set_timeout(zend_long seconds, bool reset_signals);
 ZEND_API void zend_unset_timeout(void);
 ZEND_API ZEND_NORETURN void ZEND_FASTCALL zend_timeout(void);
 ZEND_API zend_class_entry *zend_fetch_class(zend_string *class_name, int fetch_type);
+ZEND_API zend_class_entry *zend_fetch_class_with_scope(zend_string *class_name, int fetch_type, zend_class_entry *scope);
 ZEND_API zend_class_entry *zend_fetch_class_by_name(zend_string *class_name, zend_string *lcname, int fetch_type);
 
 ZEND_API zend_function * ZEND_FASTCALL zend_fetch_function(zend_string *name);
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
@@ -1549,6 +1549,39 @@ zend_class_entry *zend_fetch_class(zend_string *class_name, int fetch_type) /* {
 }
 /* }}} */
 
+zend_class_entry *zend_fetch_class_with_scope(
+		zend_string *class_name, int fetch_type, zend_class_entry *scope)
+{
+	zend_class_entry *ce;
+	switch (fetch_type & ZEND_FETCH_CLASS_MASK) {
+		case ZEND_FETCH_CLASS_SELF:
+			if (UNEXPECTED(!scope)) {
+				zend_throw_or_error(fetch_type, NULL, "Cannot access \"self\" when no class scope is active");
+			}
+			return scope;
+		case ZEND_FETCH_CLASS_PARENT:
+			if (UNEXPECTED(!scope)) {
+				zend_throw_or_error(fetch_type, NULL, "Cannot access \"parent\" when no class scope is active");
+				return NULL;
+			}
+			if (UNEXPECTED(!scope->parent)) {
+				zend_throw_or_error(fetch_type, NULL, "Cannot access \"parent\" when current class scope has no parent");
+			}
+			return scope->parent;
+		case 0:
+			break;
+		/* Other fetch types are not supported by this function. */
+		EMPTY_SWITCH_DEFAULT_CASE()
+	}
+
+	ce = zend_lookup_class_ex(class_name, NULL, fetch_type);
+	if (!ce) {
+		report_class_fetch_error(class_name, fetch_type);
+		return NULL;
+	}
+	return ce;
+}
+
 zend_class_entry *zend_fetch_class_by_name(zend_string *class_name, zend_string *key, int fetch_type) /* {{{ */
 {
 	zend_class_entry *ce = zend_lookup_class_ex(class_name, key, fetch_type);
diff --git a/ext/reflection/tests/bug81611.phpt b/ext/reflection/tests/bug81611.phpt
@@ -0,0 +1,64 @@
+--TEST--
+Reflection Bug #81611 (ArgumentCountError when getting default value from ReflectionParameter with new)
+--FILE--
+<?php
+
+class Bar
+{
+}
+
+class Foo extends Bar
+{
+    public function doFoo(object $test = new self()): object
+    {
+        return $test;
+    }
+
+    public function doBar(object $test = new parent()): object
+    {
+        return $test;
+    }
+}
+
+$ref = new \ReflectionClass(Foo::class);
+
+foreach (['doFoo', 'doBar'] as $method) {
+    $params = $ref->getMethod($method)->getParameters();
+
+    foreach ($params as $param) {
+        echo "isDefaultValueAvailable:\n";
+        var_dump($param->isDefaultValueAvailable());
+
+        echo "isDefaultValueConstant:\n";
+        var_dump($param->isDefaultValueConstant());
+
+        echo "getDefaultValueConstantName:\n";
+        var_dump($param->getDefaultValueConstantName());
+
+        echo "getDefaultValue:\n";
+        var_dump($param->getDefaultValue());
+
+        echo "\n";
+    }
+}
+?>
+--EXPECT--
+isDefaultValueAvailable:
+bool(true)
+isDefaultValueConstant:
+bool(false)
+getDefaultValueConstantName:
+NULL
+getDefaultValue:
+object(Foo)#2 (0) {
+}
+
+isDefaultValueAvailable:
+bool(true)
+isDefaultValueConstant:
+bool(false)
+getDefaultValueConstantName:
+NULL
+getDefaultValue:
+object(Bar)#3 (0) {
+}

Original file line number	Diff line number	Diff line change
`@@ -482,7 +482,7 @@ static zend_result zend_ast_add_unpacked_element(zval result, zval expr) {`
`482`	`482`
`483`	`483`	`zend_class_entry zend_ast_fetch_class(zend_ast ast, zend_class_entry *scope)`
`484`	`484`	`{`
`485`		`- return zend_fetch_class(zend_ast_get_str(ast), ast->attr \| ZEND_FETCH_CLASS_EXCEPTION);`
	`485`	`+ return zend_fetch_class_with_scope(zend_ast_get_str(ast), ast->attr \| ZEND_FETCH_CLASS_EXCEPTION, scope);`
`486`	`486`	`}`
`487`	`487`
`488`	`488`	`ZEND_API zend_result ZEND_FASTCALL zend_ast_evaluate(zval result, zend_ast ast, zend_class_entry *scope)`