Skip to content

Commit 16a8591

Browse files
iluuu1994iluuu1994
committed
Fix fatal error during sccp shift eval
Avoid returning early in this function, as other checks might still be needed to verify whether the given function can procude an error. Fixes oss-fuzz #447521098 Closes GH-19972
1 parent 033dd8a commit 16a8591

File tree

3 files changed

+22
-2
lines changed

3 files changed

+22
-2
lines changed

NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@ PHP NEWS
22
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
33
?? ??? ????, PHP 8.5.0RC2
44

5+
- Core:
6+
. Fix OSS-Fuzz #447521098 (Fatal error during sccp shift eval). (ilutov)
7+
58
- Opcache
69
. Fixed segfault in function JIT due to NAN to bool warning. (Girgias)
710

Zend/tests/oss_fuzz_447521098.phpt

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
--TEST--
2+
OSS-Fuzz #447521098: Fatal error during sccp shift eval
3+
--FILE--
4+
<?php
5+
function test() {
6+
$x = 0;
7+
$y = -1;
8+
$x >> $y;
9+
}
10+
?>
11+
===DONE===
12+
--EXPECT--
13+
===DONE===

Zend/zend_compile.c

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9998,7 +9998,9 @@ ZEND_API bool zend_binary_op_produces_error(uint32_t opcode, const zval *op1, co
99989998
/* Operation which cast float/float-strings to integers might produce incompatible float to int errors */
99999999
if (opcode == ZEND_SL || opcode == ZEND_SR || opcode == ZEND_BW_OR
1000010000
|| opcode == ZEND_BW_AND || opcode == ZEND_BW_XOR) {
10001-
return !zend_is_op_long_compatible(op1) || !zend_is_op_long_compatible(op2);
10001+
if (!zend_is_op_long_compatible(op1) || !zend_is_op_long_compatible(op2)) {
10002+
return 1;
10003+
}
1000210004
}
1000310005

1000410006
if (opcode == ZEND_DIV && zval_get_double(op2) == 0.0) {
@@ -10009,7 +10011,9 @@ ZEND_API bool zend_binary_op_produces_error(uint32_t opcode, const zval *op1, co
1000910011
/* Mod is an operation that will cast float/float-strings to integers which might
1001010012
produce float to int incompatible errors, and also cannot be divided by 0 */
1001110013
if (opcode == ZEND_MOD) {
10012-
return !zend_is_op_long_compatible(op1) || !zend_is_op_long_compatible(op2) || zval_get_long(op2) == 0;
10014+
if (!zend_is_op_long_compatible(op1) || !zend_is_op_long_compatible(op2) || zval_get_long(op2) == 0) {
10015+
return 1;
10016+
}
1001310017
}
1001410018

1001510019
if ((opcode == ZEND_POW) && zval_get_double(op1) == 0 && zval_get_double(op2) < 0) {

0 commit comments

Comments
 (0)