Fix leak with nullsafe operator with constant LHS

nikic · nikic · commit ee7eecf321fb · 2020-07-29T15:51:47.000+02:00
Followup to 5303bcd. We need to perform the addref after emitting the opline, because that might intern the string. Fixes oss-fuzz #24479.
diff --git a/Zend/tests/nullsafe_operator/029.phpt b/Zend/tests/nullsafe_operator/029.phpt
@@ -3,6 +3,9 @@ Refcount of constant LHS with nullsafe operator
 --FILE--
 <?php
 ['']?->a;
+__DIR__?->a;
 ?>
 --EXPECTF--
 Warning: Attempt to read property "a" on array in %s on line %d
+
+Warning: Attempt to read property "a" on string in %s on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
@@ -2308,10 +2308,10 @@ static void zend_short_circuiting_commit(uint32_t checkpoint, znode *result, zen
 static void zend_emit_jmp_null(znode *obj_node)
 {
 	uint32_t jmp_null_opnum = get_next_op_number();
-	if (obj_node->op_type == IS_CONST) {
-		Z_TRY_ADDREF(obj_node->u.constant);
+	zend_op *opline = zend_emit_op(NULL, ZEND_JMP_NULL, obj_node, NULL);
+	if (opline->op1_type == IS_CONST) {
+		Z_TRY_ADDREF_P(CT_CONSTANT(opline->op1));
 	}
-	zend_emit_op(NULL, ZEND_JMP_NULL, obj_node, NULL);
 	zend_stack_push(&CG(short_circuiting_opnums), &jmp_null_opnum);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -2308,10 +2308,10 @@ static void zend_short_circuiting_commit(uint32_t checkpoint, znode *result, zen`
`2308`	`2308`	`static void zend_emit_jmp_null(znode *obj_node)`
`2309`	`2309`	`{`
`2310`	`2310`	`uint32_t jmp_null_opnum = get_next_op_number();`
`2311`		`- if (obj_node->op_type == IS_CONST) {`
`2312`		`- Z_TRY_ADDREF(obj_node->u.constant);`
	`2311`	`+ zend_op *opline = zend_emit_op(NULL, ZEND_JMP_NULL, obj_node, NULL);`
	`2312`	`+ if (opline->op1_type == IS_CONST) {`
	`2313`	`+ Z_TRY_ADDREF_P(CT_CONSTANT(opline->op1));`
`2313`	`2314`	`}`
`2314`		`- zend_emit_op(NULL, ZEND_JMP_NULL, obj_node, NULL);`
`2315`	`2315`	`zend_stack_push(&CG(short_circuiting_opnums), &jmp_null_opnum);`
`2316`	`2316`	`}`
`2317`	`2317`