Fix infinite recursion in unlinked_instanceof

nikic · nikic · commit dd335359e950 · 2021-01-05T13:03:41.000+01:00
I suspect this is only a partial fix for the issue, it's probably
possible to recurse through a more complex pathway as well.

Fixes oss-fuzz #28961.
diff --git a/Zend/tests/type_declarations/variance/infinite_recursion.phpt b/Zend/tests/type_declarations/variance/infinite_recursion.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Infinite recursion in unlinked_instanceof()
+--FILE--
+<?php
+interface I {}
+spl_autoload_register(function() {
+    class X {
+        function test(): I {}
+    }
+    class Y extends X {
+        function test(): C {}
+    }
+});
+class C extends Z implements C {}
+?>
+--EXPECTF--
+Fatal error: Declaration of Y::test(): C must be compatible with X::test(): I in %s on line %d
diff --git a/Zend/zend_inheritance.c b/Zend/zend_inheritance.c
@@ -311,7 +311,8 @@ static zend_bool unlinked_instanceof(zend_class_entry *ce1, zend_class_entry *ce
 				zend_class_entry *ce = zend_lookup_class_ex(
 					ce1->interface_names[i].name, ce1->interface_names[i].lc_name,
 					ZEND_FETCH_CLASS_ALLOW_UNLINKED | ZEND_FETCH_CLASS_NO_AUTOLOAD);
-				if (ce && unlinked_instanceof(ce, ce2)) {
+				/* Avoid recursing if class implements ifself. */
+				if (ce && ce != ce1 && unlinked_instanceof(ce, ce2)) {
 					return 1;
 				}
 			}

Original file line number	Diff line number	Diff line change
`@@ -311,7 +311,8 @@ static zend_bool unlinked_instanceof(zend_class_entry ce1, zend_class_entry ce`
`311`	`311`	`zend_class_entry *ce = zend_lookup_class_ex(`
`312`	`312`	`ce1->interface_names[i].name, ce1->interface_names[i].lc_name,`
`313`	`313`	`ZEND_FETCH_CLASS_ALLOW_UNLINKED \| ZEND_FETCH_CLASS_NO_AUTOLOAD);`
`314`		`- if (ce && unlinked_instanceof(ce, ce2)) {`
	`314`	`+ /* Avoid recursing if class implements ifself. */`
	`315`	`+ if (ce && ce != ce1 && unlinked_instanceof(ce, ce2)) {`
`315`	`316`	`return 1;`
`316`	`317`	`}`
`317`	`318`	`}`