From 82169a8fbf7c9c8294285f550f993b0810c37d6e Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Fri, 8 Dec 2023 12:56:30 +0100
Subject: [PATCH] Fix zend_jit_undefined_long_key overwriting dim when dim ==
 result

Fixes oss-fuzz #64727
---
 ext/opcache/jit/zend_jit_vm_helpers.c     |  4 ++--
 ext/opcache/tests/jit/oss-fuzz-64727.phpt | 27 +++++++++++++++++++++++
 2 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 ext/opcache/tests/jit/oss-fuzz-64727.phpt

diff --git a/ext/opcache/jit/zend_jit_vm_helpers.c b/ext/opcache/jit/zend_jit_vm_helpers.c
index ff7fbd87546eb..fe9d5fdaa8da5 100644
--- a/ext/opcache/jit/zend_jit_vm_helpers.c
+++ b/ext/opcache/jit/zend_jit_vm_helpers.c
@@ -205,7 +205,6 @@ void ZEND_FASTCALL zend_jit_undefined_long_key(EXECUTE_DATA_D)
 	zval *result = EX_VAR(opline->result.var);
 	zval *dim;
 
-	ZVAL_NULL(result);
 	if (opline->op2_type == IS_CONST) {
 		dim = RT_CONSTANT(opline, opline->op2);
 	} else {
@@ -213,6 +212,7 @@ void ZEND_FASTCALL zend_jit_undefined_long_key(EXECUTE_DATA_D)
 	}
 	ZEND_ASSERT(Z_TYPE_P(dim) == IS_LONG);
 	zend_error(E_WARNING, "Undefined array key " ZEND_LONG_FMT, Z_LVAL_P(dim));
+	ZVAL_NULL(result);
 }
 
 void ZEND_FASTCALL zend_jit_undefined_string_key(EXECUTE_DATA_D)
@@ -222,7 +222,6 @@ void ZEND_FASTCALL zend_jit_undefined_string_key(EXECUTE_DATA_D)
 	zval *dim;
 	zend_ulong lval;
 
-	ZVAL_NULL(result);
 	if (opline->op2_type == IS_CONST) {
 		dim = RT_CONSTANT(opline, opline->op2);
 	} else {
@@ -234,6 +233,7 @@ void ZEND_FASTCALL zend_jit_undefined_string_key(EXECUTE_DATA_D)
 	} else {
 		zend_error(E_WARNING, "Undefined array key \"%s\"", Z_STRVAL_P(dim));
 	}
+	ZVAL_NULL(result);
 }
 
 ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_profile_helper(ZEND_OPCODE_HANDLER_ARGS)
diff --git a/ext/opcache/tests/jit/oss-fuzz-64727.phpt b/ext/opcache/tests/jit/oss-fuzz-64727.phpt
new file mode 100644
index 0000000000000..72fb3e5bd2d7f
--- /dev/null
+++ b/ext/opcache/tests/jit/oss-fuzz-64727.phpt
@@ -0,0 +1,27 @@
+--TEST--
+oss-fuzz #64727
+--INI--
+opcache.enable_cli=1
+opcache.jit_buffer_size=64M
+opcache.jit=function
+--EXTENSIONS--
+opcache
+--FILE--
+<?php
+function test(){
+    $a = null;
+    $b = null;
+	for($i = 0; $i < 2; $i++){
+		$a = $a + $b;
+		var_dump($a);
+		$a = @[3][$a];
+		var_dump($a);
+	}
+}
+test();
+?>
+--EXPECT--
+int(0)
+int(3)
+int(3)
+NULL