From 66427662740f3160e9ecd1cda900f74a56ada82f Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Thu, 2 Nov 2023 16:54:23 +0100
Subject: [PATCH] Fix op1 leak of error path in post inc/dec

Fixes oss-fuzz #63802
---
 Zend/tests/oss_fuzz_63802.phpt | 34 ++++++++++++++++++++++++++++++++++
 Zend/zend_vm_def.h             |  6 ------
 Zend/zend_vm_execute.h         | 12 ------------
 3 files changed, 34 insertions(+), 18 deletions(-)
 create mode 100644 Zend/tests/oss_fuzz_63802.phpt

diff --git a/Zend/tests/oss_fuzz_63802.phpt b/Zend/tests/oss_fuzz_63802.phpt
new file mode 100644
index 0000000000000..c675411c2860f
--- /dev/null
+++ b/Zend/tests/oss_fuzz_63802.phpt
@@ -0,0 +1,34 @@
+--TEST--
+oss-fuzz #63802: Post inc/dec with error leaks op1
+--FILE--
+<?php
+class Foo {
+    public function preInc() {
+        ++$this > 42;
+    }
+    public function preDec() {
+        --$this > 42;
+    }
+    public function postInc() {
+        $this++ > 42;
+    }
+    public function postDec() {
+        $this-- > 42;
+    }
+}
+$foo = new Foo();
+foreach (['pre', 'post'] as $prePost) {
+    foreach (['inc', 'dec'] as $incDec) {
+        try {
+            $foo->{$prePost . ucfirst($incDec)}();
+        } catch (TypeError $e) {
+            echo $e->getMessage(), "\n";
+        }
+    }
+}
+?>
+--EXPECT--
+Cannot increment Foo
+Cannot decrement Foo
+Cannot increment Foo
+Cannot decrement Foo
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 9c11767584b4d..1e7110b490944 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1606,9 +1606,6 @@ ZEND_VM_HELPER(zend_post_inc_helper, VAR|CV, ANY)
 		ZVAL_COPY(EX_VAR(opline->result.var), var_ptr);
 
 		increment_function(var_ptr);
-		if (UNEXPECTED(EG(exception))) {
-			HANDLE_EXCEPTION();
-		}
 	} while (0);
 
 	FREE_OP1();
@@ -1657,9 +1654,6 @@ ZEND_VM_HELPER(zend_post_dec_helper, VAR|CV, ANY)
 		ZVAL_COPY(EX_VAR(opline->result.var), var_ptr);
 
 		decrement_function(var_ptr);
-		if (UNEXPECTED(EG(exception))) {
-			HANDLE_EXCEPTION();
-		}
 	} while (0);
 
 	FREE_OP1();
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index ccfa626f90120..7ec1f3833ca7c 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -21782,9 +21782,6 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_inc_hel
 		ZVAL_COPY(EX_VAR(opline->result.var), var_ptr);
 
 		increment_function(var_ptr);
-		if (UNEXPECTED(EG(exception))) {
-			HANDLE_EXCEPTION();
-		}
 	} while (0);
 
 	zval_ptr_dtor_nogc(EX_VAR(opline->op1.var));
@@ -21833,9 +21830,6 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_dec_hel
 		ZVAL_COPY(EX_VAR(opline->result.var), var_ptr);
 
 		decrement_function(var_ptr);
-		if (UNEXPECTED(EG(exception))) {
-			HANDLE_EXCEPTION();
-		}
 	} while (0);
 
 	zval_ptr_dtor_nogc(EX_VAR(opline->op1.var));
@@ -39149,9 +39143,6 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_inc_hel
 		ZVAL_COPY(EX_VAR(opline->result.var), var_ptr);
 
 		increment_function(var_ptr);
-		if (UNEXPECTED(EG(exception))) {
-			HANDLE_EXCEPTION();
-		}
 	} while (0);
 
 	ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
@@ -39199,9 +39190,6 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_post_dec_hel
 		ZVAL_COPY(EX_VAR(opline->result.var), var_ptr);
 
 		decrement_function(var_ptr);
-		if (UNEXPECTED(EG(exception))) {
-			HANDLE_EXCEPTION();
-		}
 	} while (0);
 
 	ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();