From 9eafd67717951d641674dc76f74015e06f281a28 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Thu, 15 Jun 2023 17:47:56 +0200 Subject: [PATCH] Fix assertion violation for invalid class const objects in const expressions Fixes oss-fuzz #59764 --- Zend/tests/oss_fuzz_59764.phpt | 8 ++++++++ Zend/zend_compile.c | 3 +++ 2 files changed, 11 insertions(+) create mode 100644 Zend/tests/oss_fuzz_59764.phpt diff --git a/Zend/tests/oss_fuzz_59764.phpt b/Zend/tests/oss_fuzz_59764.phpt new file mode 100644 index 0000000000000..c8ba573ff9a7e --- /dev/null +++ b/Zend/tests/oss_fuzz_59764.phpt @@ -0,0 +1,8 @@ +--TEST-- +oss-fuzz #59764: Test +--FILE-- + +--EXPECTF-- +Fatal error: Class name must be a valid object or a string in %s on line %d diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c index 0b54823d2026c..21fc22e73140d 100644 --- a/Zend/zend_compile.c +++ b/Zend/zend_compile.c @@ -10014,6 +10014,9 @@ static void zend_compile_const_expr_class_const(zend_ast **ast_ptr) /* {{{ */ zend_error_noreturn(E_COMPILE_ERROR, "Dynamic class names are not allowed in compile-time class constant references"); } + if (Z_TYPE_P(zend_ast_get_zval(class_ast)) != IS_STRING) { + zend_throw_error(NULL, "Class name must be a valid object or a string"); + } class_name = zend_ast_get_str(class_ast); fetch_type = zend_get_class_fetch_type(class_name);