Fix oss-fuzz #61712: assertion failure with error handler during binary op

nielsdos · nielsdos · commit a3a396449792 · 2023-08-28T20:00:49.000+02:00
Because the error handler is invoked after the property is updated, the error handler has the opportunity to remove it before the property is returned. Switching the order around fixes this issue. The comments mention that the current ordering prevents overwriting the EG(std_property_info) field in the error handler. EG(std_property_info) no longer exists as it was removed in 7471c21. Back then a global was used to store the returned property info, but as this is no longer the case there is no longer a need to protect against overwriting a global. Closes GH-12062.
diff --git a/NEWS b/NEWS
@@ -8,6 +8,8 @@ PHP                                                                        NEWS
     (Jakub Zelenka)
   . Fixed bug GH-11790 (On riscv64 require libatomic if actually needed).
     (Jeremie Courreges-Anglas)
+  . Fixed oss-fuzz #61712 (assertion failure with error handler during binary
+    op). (nielsdos)
 
 - DOM:
   . Fixed GH-11952 (Confusing warning when blocking entity loading via
diff --git a/Zend/tests/oss_fuzz_61712.phpt b/Zend/tests/oss_fuzz_61712.phpt
@@ -0,0 +1,20 @@
+--TEST--
+OSS-Fuzz #61712 (assertion failure with error handler during binary op)
+--FILE--
+<?php
+#[AllowDynamicProperties]
+class C {
+    function error($_, $msg) {
+        echo $msg, "\n";
+        unset($this->a);
+    }
+}
+
+$c = new C;
+set_error_handler([$c, 'error']);
+$c->a %= 10;
+var_dump($c->a);
+?>
+--EXPECT--
+Undefined property: C::$a
+int(0)
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -1160,12 +1160,10 @@ ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *zobj, zend_string *nam
 			if (UNEXPECTED(!zobj->properties)) {
 				rebuild_object_properties(zobj);
 			}
-			retval = zend_hash_update(zobj->properties, name, &EG(uninitialized_zval));
-			/* Notice is thrown after creation of the property, to avoid EG(std_property_info)
-			 * being overwritten in an error handler. */
 			if (UNEXPECTED(type == BP_VAR_RW || type == BP_VAR_R)) {
 				zend_error(E_WARNING, "Undefined property: %s::$%s", ZSTR_VAL(zobj->ce->name), ZSTR_VAL(name));
 			}
+			retval = zend_hash_update(zobj->properties, name, &EG(uninitialized_zval));
 		}
 	} else if (zobj->ce->__get == NULL) {
 		retval = &EG(error_zval);

Original file line number	Diff line number	Diff line change
`@@ -1160,12 +1160,10 @@ ZEND_API zval zend_std_get_property_ptr_ptr(zend_object zobj, zend_string *nam`
`1160`	`1160`	`if (UNEXPECTED(!zobj->properties)) {`
`1161`	`1161`	`rebuild_object_properties(zobj);`
`1162`	`1162`	`}`
`1163`		`- retval = zend_hash_update(zobj->properties, name, &EG(uninitialized_zval));`
`1164`		`- /* Notice is thrown after creation of the property, to avoid EG(std_property_info)`
`1165`		`- * being overwritten in an error handler. */`
`1166`	`1163`	`if (UNEXPECTED(type == BP_VAR_RW \|\| type == BP_VAR_R)) {`
`1167`	`1164`	`zend_error(E_WARNING, "Undefined property: %s::$%s", ZSTR_VAL(zobj->ce->name), ZSTR_VAL(name));`
`1168`	`1165`	`}`
	`1166`	`+ retval = zend_hash_update(zobj->properties, name, &EG(uninitialized_zval));`
`1169`	`1167`	`}`
`1170`	`1168`	`} else if (zobj->ce->__get == NULL) {`
`1171`	`1169`	`retval = &EG(error_zval);`