Return correct result code for division by zero

nikic · nikic · commit ae77c7b057c5 · 2020-10-02T12:09:14.000+02:00
Turns out we do need to return FAILURE here on div by zero
exception. Use a three-way return value from div_function_base.

Fixes oss-fuzz #25975.
diff --git a/Zend/tests/div_by_zero_in_static.phpt b/Zend/tests/div_by_zero_in_static.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Division by zero in static
+--FILE--
+<?php
+static $a = 1/0;
+?>
+--EXPECTF--
+Fatal error: Uncaught DivisionByZeroError: Division by zero in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
@@ -1253,7 +1253,9 @@ ZEND_API zend_result ZEND_FASTCALL pow_function(zval *result, zval *op1, zval *o
 }
 /* }}} */
 
-static zend_result ZEND_FASTCALL div_function_base(zval *result, zval *op1, zval *op2) /* {{{ */
+/* Returns SUCCESS/FAILURE/TYPES_NOT_HANDLED */
+#define TYPES_NOT_HANDLED 1
+static int ZEND_FASTCALL div_function_base(zval *result, zval *op1, zval *op2) /* {{{ */
 {
 	zend_uchar type_pair = TYPE_PAIR(Z_TYPE_P(op1), Z_TYPE_P(op2));
 
@@ -1290,23 +1292,25 @@ static zend_result ZEND_FASTCALL div_function_base(zval *result, zval *op1, zval
 		ZVAL_DOUBLE(result, (double)Z_LVAL_P(op1) / Z_DVAL_P(op2));
 		return SUCCESS;
 	} else {
-		return FAILURE;
+		return TYPES_NOT_HANDLED;
 	}
 division_by_0:
 	if (result != op1) {
 		ZVAL_UNDEF(result);
 	}
 	zend_throw_error(zend_ce_division_by_zero_error, "Division by zero");
-	return SUCCESS;
+	return FAILURE;
 }
 /* }}} */
 
 ZEND_API zend_result ZEND_FASTCALL div_function(zval *result, zval *op1, zval *op2) /* {{{ */
 {
 	ZVAL_DEREF(op1);
 	ZVAL_DEREF(op2);
-	if (div_function_base(result, op1, op2) == SUCCESS) {
-		return SUCCESS;
+
+	int retval = div_function_base(result, op1, op2);
+	if (retval != TYPES_NOT_HANDLED) {
+		return retval;
 	}
 
 	ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_DIV);
@@ -1325,12 +1329,9 @@ ZEND_API zend_result ZEND_FASTCALL div_function(zval *result, zval *op1, zval *o
 		zval_ptr_dtor(result);
 	}
 
-	if (div_function_base(result, &op1_copy, &op2_copy) == SUCCESS) {
-		return SUCCESS;
-	}
-
-	ZEND_ASSERT(0 && "Operation must succeed");
-	return FAILURE;
+	retval = div_function_base(result, &op1_copy, &op2_copy);
+	ZEND_ASSERT(retval != TYPES_NOT_HANDLED && "Types should be handled");
+	return retval;
 }
 /* }}} */
 

Original file line number	Diff line number	Diff line change
`@@ -1253,7 +1253,9 @@ ZEND_API zend_result ZEND_FASTCALL pow_function(zval result, zval op1, zval *o`
`1253`	`1253`	`}`
`1254`	`1254`	`/* }}} */`
`1255`	`1255`
`1256`		`-static zend_result ZEND_FASTCALL div_function_base(zval result, zval op1, zval op2) / {{{ */`
	`1256`	`+/* Returns SUCCESS/FAILURE/TYPES_NOT_HANDLED */`
	`1257`	`+#define TYPES_NOT_HANDLED 1`
	`1258`	`+static int ZEND_FASTCALL div_function_base(zval result, zval op1, zval op2) / {{{ */`
`1257`	`1259`	`{`
`1258`	`1260`	`zend_uchar type_pair = TYPE_PAIR(Z_TYPE_P(op1), Z_TYPE_P(op2));`
`1259`	`1261`
`@@ -1290,23 +1292,25 @@ static zend_result ZEND_FASTCALL div_function_base(zval result, zval op1, zval`
`1290`	`1292`	`ZVAL_DOUBLE(result, (double)Z_LVAL_P(op1) / Z_DVAL_P(op2));`
`1291`	`1293`	`return SUCCESS;`
`1292`	`1294`	`} else {`
`1293`		`- return FAILURE;`
	`1295`	`+ return TYPES_NOT_HANDLED;`
`1294`	`1296`	`}`
`1295`	`1297`	`division_by_0:`
`1296`	`1298`	`if (result != op1) {`
`1297`	`1299`	`ZVAL_UNDEF(result);`
`1298`	`1300`	`}`
`1299`	`1301`	`zend_throw_error(zend_ce_division_by_zero_error, "Division by zero");`
`1300`		`- return SUCCESS;`
	`1302`	`+ return FAILURE;`
`1301`	`1303`	`}`
`1302`	`1304`	`/* }}} */`
`1303`	`1305`
`1304`	`1306`	`ZEND_API zend_result ZEND_FASTCALL div_function(zval result, zval op1, zval op2) / {{{ */`
`1305`	`1307`	`{`
`1306`	`1308`	`ZVAL_DEREF(op1);`
`1307`	`1309`	`ZVAL_DEREF(op2);`
`1308`		`- if (div_function_base(result, op1, op2) == SUCCESS) {`
`1309`		`- return SUCCESS;`
	`1310`	`+`
	`1311`	`+ int retval = div_function_base(result, op1, op2);`
	`1312`	`+ if (retval != TYPES_NOT_HANDLED) {`
	`1313`	`+ return retval;`
`1310`	`1314`	`}`
`1311`	`1315`
`1312`	`1316`	`ZEND_TRY_BINARY_OBJECT_OPERATION(ZEND_DIV);`
`@@ -1325,12 +1329,9 @@ ZEND_API zend_result ZEND_FASTCALL div_function(zval result, zval op1, zval *o`
`1325`	`1329`	`zval_ptr_dtor(result);`
`1326`	`1330`	`}`
`1327`	`1331`
`1328`		`- if (div_function_base(result, &op1_copy, &op2_copy) == SUCCESS) {`
`1329`		`- return SUCCESS;`
`1330`		`- }`
`1331`		`-`
`1332`		`- ZEND_ASSERT(0 && "Operation must succeed");`
`1333`		`- return FAILURE;`
	`1332`	`+ retval = div_function_base(result, &op1_copy, &op2_copy);`
	`1333`	`+ ZEND_ASSERT(retval != TYPES_NOT_HANDLED && "Types should be handled");`
	`1334`	`+ return retval;`
`1334`	`1335`	`}`
`1335`	`1336`	`/* }}} */`
`1336`	`1337`