Fix oss-fuzz-61469: Undef dynamic property in ++/-- unset in error handler

Girgias · Girgias · commit dc4d0946261d · 2023-08-21T15:01:46.000+01:00
diff --git a/Zend/tests/in-de-crement/oss-fuzz-61469_inc_dec_dynamic_property_unset_error_handler.phpt b/Zend/tests/in-de-crement/oss-fuzz-61469_inc_dec_dynamic_property_unset_error_handler.phpt
@@ -0,0 +1,29 @@
+--TEST--
+OSS Fuzz #61469: Undef variable in ++/-- for dynamic property that is unset in error handler
+--FILE--
+<?php
+class C {
+    function errorHandle() {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandle']);
+
+($c->a++);
+var_dump($c->a);
+
+($c->a--);
+var_dump($c->a);
+
+(++$c->a);
+var_dump($c->a);
+
+(--$c->a);
+var_dump($c->a);
+?>
+--EXPECT--
+NULL
+NULL
+NULL
+NULL
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -1328,6 +1328,11 @@ ZEND_VM_C_LABEL(pre_incdec_object):
 					ZVAL_NULL(EX_VAR(opline->result.var));
 				}
 			} else {
+				/* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic
+				 * (e.g. undefined property warning) and the propery is unset in the error handler */
+				if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) {
+					ZVAL_NULL(zptr);
+				}
 				if (OP2_TYPE == IS_CONST) {
 					prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2);
 				} else {
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
