From 5ce1089c5acfc8a4dfaf3c0bdd5da1b59cb943a2 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Tue, 6 Feb 2024 23:47:44 +0100
Subject: [PATCH] Fix RC inference narrowing for ASSIGN_OBJ

Fixes oss-fuzz #66519
---
 Zend/Optimizer/zend_inference.c |  4 ++--
 Zend/tests/oss_fuzz_66519.phpt  | 14 ++++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 Zend/tests/oss_fuzz_66519.phpt

diff --git a/Zend/Optimizer/zend_inference.c b/Zend/Optimizer/zend_inference.c
index 8e0bd0e82aed7..4b4bbb09d8105 100644
--- a/Zend/Optimizer/zend_inference.c
+++ b/Zend/Optimizer/zend_inference.c
@@ -3030,12 +3030,12 @@ static zend_always_inline zend_result _zend_update_type_info(
 		case ZEND_ASSIGN_OBJ:
 			if (opline->op1_type == IS_CV) {
 				zend_class_entry *ce = ssa_var_info[ssa_op->op1_use].ce;
-				bool add_rc = !ce
+				bool add_rc = (t1 & (MAY_BE_OBJECT|MAY_BE_REF)) && (!ce
 					|| ce->__set
 					/* Non-default write_property may be set within create_object. */
 					|| ce->create_object
 					|| ce->default_object_handlers->write_property != zend_std_write_property
-					|| ssa_var_info[ssa_op->op1_use].is_instanceof;
+					|| ssa_var_info[ssa_op->op1_use].is_instanceof);
 				tmp = (t1 & (MAY_BE_REF|MAY_BE_OBJECT|MAY_BE_RC1|MAY_BE_RCN))|(add_rc ? (MAY_BE_RC1|MAY_BE_RCN) : 0);
 				UPDATE_SSA_TYPE(tmp, ssa_op->op1_def);
 				COPY_SSA_OBJ_TYPE(ssa_op->op1_use, ssa_op->op1_def);
diff --git a/Zend/tests/oss_fuzz_66519.phpt b/Zend/tests/oss_fuzz_66519.phpt
new file mode 100644
index 0000000000000..70d7b08b5c4aa
--- /dev/null
+++ b/Zend/tests/oss_fuzz_66519.phpt
@@ -0,0 +1,14 @@
+--TEST--
+oss-fuzz #66519: Fix RC inference narrowing for ASSIGN_OBJ
+--FILE--
+<?php
+function test() {
+    for (;;) {
+        [] ?? $oj->y = y;
+        $oj = new stdClass;
+    }
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===