Fix segfault when evaluating const expr default value of child prop with added hooks

iluuu1994 · iluuu1994 · commit f1fd1abc52a6 · 2025-03-17T16:26:21.000+01:00
Fixes oss-fuzz #403816122
diff --git a/Zend/tests/oss-fuzz-403816122.phpt b/Zend/tests/oss-fuzz-403816122.phpt
@@ -0,0 +1,22 @@
+--TEST--
+OSS-Fuzz #403816122: Segfault when initializing default properties of child prop with added hooks
+--FILE--
+<?php
+
+const X = 'x';
+
+class P {
+    public $prop;
+}
+
+class C extends P {
+    public $prop = X {
+        get => 'y';
+    }
+}
+
+var_dump((new C)->prop);
+
+?>
+--EXPECT--
+string(1) "y"
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
@@ -1613,8 +1613,12 @@ ZEND_API zend_result zend_update_class_constants(zend_class_entry *class_type) /
 		/* Use the default properties table to also update initializers of private properties
 		 * that have been shadowed in a child class. */
 		for (uint32_t i = 0; i < class_type->default_properties_count; i++) {
-			val = &default_properties_table[i];
 			prop_info = class_type->properties_info_table[i];
+			if (!prop_info) {
+				continue;
+			}
+
+			val = &default_properties_table[OBJ_PROP_TO_NUM(prop_info->offset)];
 			if (Z_TYPE_P(val) == IS_CONSTANT_AST
 					&& UNEXPECTED(update_property(val, prop_info) != SUCCESS)) {
 				return FAILURE;
