Fix zend_lazy_object_get_properties for object with prop ht, when init fails (#15825)

arnaud-lb · web-flow · commit cc065bae3ffb · 2024-09-23T13:47:56.000+02:00
zend_lazy_object_get_properties() is used by zend_std_get_properties_ex() to fetch the properties of lazy objects. It initializes the object and returns its properties.

When initialization fails we return an empty ht because most callers do not check for NULL. We rely on the exception thrown during initialization. We also assign that empty ht to zend_object.properties for the same reasons.

We asserted that zend_object.properties was either NULL or &amp;zend_empty_array, but there are other cases in which a uninitialized lazy object may have a properties ht.

Here I remove the assertion, and return the existing properties ht if there is one. Otherwise I return zend_new_array(0) instead of &amp;zend_emtpy_array as not all callers expect an immutable array (e.g. FE_FETCH does not).
diff --git a/Zend/tests/lazy_objects/gh15823.phpt b/Zend/tests/lazy_objects/gh15823.phpt
@@ -0,0 +1,37 @@
+--TEST--
+GH-15823: Wrong expectations in zend_lazy_object_get_properties()
+--FILE--
+<?php
+
+class C {
+    public int $a = 1;
+}
+
+$reflector = new ReflectionClass(C::class);
+$calls = 0;
+$obj = $reflector->newLazyGhost(function ($obj) use (&$calls) {
+    if ($calls++ === 0) {
+        throw new Error("initializer");
+    }
+    $obj->a = 2;
+});
+
+// Builds properties ht without lazy initialization
+var_dump($obj);
+try {
+    // Lazy initialization fails during fetching of properties ht
+    json_encode($obj);
+} catch (Error $e) {
+    printf("%s: %s\n", $e::class, $e->getMessage());
+}
+
+var_dump(json_encode($obj));
+
+?>
+--EXPECTF--
+lazy ghost object(C)#%d (0) {
+  ["a"]=>
+  uninitialized(int)
+}
+Error: initializer
+string(7) "{"a":2}"
diff --git a/Zend/zend_lazy_objects.c b/Zend/zend_lazy_objects.c
@@ -624,8 +624,10 @@ ZEND_API HashTable *zend_lazy_object_get_properties(zend_object *object)
 
 	zend_object *tmp = zend_lazy_object_init(object);
 	if (UNEXPECTED(!tmp)) {
-		ZEND_ASSERT(!object->properties || object->properties == &zend_empty_array);
-		return object->properties = (zend_array*) &zend_empty_array;
+		if (object->properties) {
+			return object->properties;
+		}
+		return object->properties = zend_new_array(0);
 	}
 
 	object = tmp;
