From ced5cda26f04a6f92874ef5d4b6fb426d9af5903 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Mon, 26 Jun 2023 19:08:52 +0200
Subject: [PATCH 1/3] Fix mis-compilation of by-reference nullsafe operator

Fixes oss-fuzz #60011
---
 Zend/zend_compile.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 14888722e13cc..8476e479077a2 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -3257,6 +3257,9 @@ static void zend_compile_assign(znode *result, zend_ast *ast) /* {{{ */
 				if (!zend_is_variable_or_call(expr_ast)) {
 					zend_error_noreturn(E_COMPILE_ERROR,
 						"Cannot assign reference to non referenceable value");
+				} else if (expr_ast->kind == ZEND_AST_NULLSAFE_PROP) {
+					zend_error_noreturn(E_COMPILE_ERROR,
+						"Cannot take reference of a nullsafe chain");
 				}
 
 				zend_compile_var(&expr_node, expr_ast, BP_VAR_W, 1);

From 494bab0fabee268c1f9264c197f7e3d7a04a3160 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Mon, 26 Jun 2023 19:11:46 +0200
Subject: [PATCH 2/3] Add test for oss-fuzz #60011

---
 Zend/tests/oss_fuzz_60011.phpt | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 Zend/tests/oss_fuzz_60011.phpt

diff --git a/Zend/tests/oss_fuzz_60011.phpt b/Zend/tests/oss_fuzz_60011.phpt
new file mode 100644
index 0000000000000..cb55b32a5bc51
--- /dev/null
+++ b/Zend/tests/oss_fuzz_60011.phpt
@@ -0,0 +1,8 @@
+--TEST--
+oss-fuzz #60011 (Incorrect order of instruction with nullsafe operator)
+--FILE--
+<?php
+[&$y]=$y->y?->y;
+?>
+--EXPECTF--
+Fatal error: Cannot take reference of a nullsafe chain in %s on line %d

From 1c056fbce907a38bf9fd68fd0663e094bbbb5e5d Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Wed, 28 Jun 2023 15:26:41 +0200
Subject: [PATCH 3/3] Fix nullsafe op appearing in nested chain

---
 Zend/tests/{oss_fuzz_60011.phpt => oss_fuzz_60011_1.phpt} | 0
 Zend/tests/oss_fuzz_60011_2.phpt                          | 8 ++++++++
 Zend/zend_compile.c                                       | 2 +-
 3 files changed, 9 insertions(+), 1 deletion(-)
 rename Zend/tests/{oss_fuzz_60011.phpt => oss_fuzz_60011_1.phpt} (100%)
 create mode 100644 Zend/tests/oss_fuzz_60011_2.phpt

diff --git a/Zend/tests/oss_fuzz_60011.phpt b/Zend/tests/oss_fuzz_60011_1.phpt
similarity index 100%
rename from Zend/tests/oss_fuzz_60011.phpt
rename to Zend/tests/oss_fuzz_60011_1.phpt
diff --git a/Zend/tests/oss_fuzz_60011_2.phpt b/Zend/tests/oss_fuzz_60011_2.phpt
new file mode 100644
index 0000000000000..8c6880e358e0b
--- /dev/null
+++ b/Zend/tests/oss_fuzz_60011_2.phpt
@@ -0,0 +1,8 @@
+--TEST--
+oss-fuzz #60011 (Incorrect order of instruction with nullsafe operator)
+--FILE--
+<?php
+[&$y]=$y?->y->y;
+?>
+--EXPECTF--
+Fatal error: Cannot take reference of a nullsafe chain in %s on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 8476e479077a2..59e4d369595ae 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -3257,7 +3257,7 @@ static void zend_compile_assign(znode *result, zend_ast *ast) /* {{{ */
 				if (!zend_is_variable_or_call(expr_ast)) {
 					zend_error_noreturn(E_COMPILE_ERROR,
 						"Cannot assign reference to non referenceable value");
-				} else if (expr_ast->kind == ZEND_AST_NULLSAFE_PROP) {
+				} else if (zend_ast_is_short_circuited(expr_ast)) {
 					zend_error_noreturn(E_COMPILE_ERROR,
 						"Cannot take reference of a nullsafe chain");
 				}