Fix oss-fuzz #71382 (#15854)

arnaud-lb · web-flow · commit 17d46bb3b296 · 2024-09-17T16:06:51.000+02:00
The return value of zho_build_properties_ex() is passed to ZVAL_ARR(), which sets the IS_TYPE_REFCOUNTED flag. Returning &amp;zend_emtpy_array will crash later when trying to dtor the zval.

I'm fixing this by returning zend_new_array(0) instead of &amp;zend_empty_array.

An alternative was to make ZVAL_ARR() aware of immutable arrays, like ZVAL_STR() is with interned strings, but I found no other problematic cases.
diff --git a/Zend/tests/lazy_objects/oss_fuzz_71382.phpt b/Zend/tests/lazy_objects/oss_fuzz_71382.phpt
@@ -0,0 +1,27 @@
+--TEST--
+oss-fuzz #71382
+--FILE--
+<?php
+
+class C {
+    public $a;
+    public $b {
+        get {
+        }
+    }
+}
+
+$reflector = new ReflectionClass(C::class);
+$obj = $reflector->newLazyGhost(function() {
+    throw new \Exception('initializer');
+});
+
+try {
+    foreach($obj as $a) {
+    }
+} catch (Exception $e) {
+    printf("%s: %s\n", $e::class, $e->getMessage());
+}
+
+--EXPECT--
+Exception: initializer
diff --git a/Zend/zend_property_hooks.c b/Zend/zend_property_hooks.c
@@ -54,7 +54,7 @@ static zend_array *zho_build_properties_ex(zend_object *zobj, bool check_access,
 	if (UNEXPECTED(zend_lazy_object_must_init(zobj))) {
 		zobj = zend_lazy_object_init(zobj);
 		if (UNEXPECTED(!zobj)) {
-			return (zend_array*) &zend_empty_array;
+			return zend_new_array(0);
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ static zend_array zho_build_properties_ex(zend_object zobj, bool check_access,`
`54`	`54`	`if (UNEXPECTED(zend_lazy_object_must_init(zobj))) {`
`55`	`55`	`zobj = zend_lazy_object_init(zobj);`
`56`	`56`	`if (UNEXPECTED(!zobj)) {`
`57`		`- return (zend_array*) &zend_empty_array;`
	`57`	`+ return zend_new_array(0);`
`58`	`58`	`}`
`59`	`59`	`}`
`60`	`60`