Fix RC inference narrowing for ASSIGN_OBJ

iluuu1994 · iluuu1994 · commit 4183db659af0 · 2024-02-06T23:48:45.000+01:00
Fixes oss-fuzz #6519
diff --git a/Zend/Optimizer/zend_inference.c b/Zend/Optimizer/zend_inference.c
@@ -3030,12 +3030,12 @@ static zend_always_inline zend_result _zend_update_type_info(
 		case ZEND_ASSIGN_OBJ:
 			if (opline->op1_type == IS_CV) {
 				zend_class_entry *ce = ssa_var_info[ssa_op->op1_use].ce;
-				bool add_rc = !ce
+				bool add_rc = (t1 & (MAY_BE_OBJECT|MAY_BE_REF)) && (!ce
 					|| ce->__set
 					/* Non-default write_property may be set within create_object. */
 					|| ce->create_object
 					|| ce->default_object_handlers->write_property != zend_std_write_property
-					|| ssa_var_info[ssa_op->op1_use].is_instanceof;
+					|| ssa_var_info[ssa_op->op1_use].is_instanceof);
 				tmp = (t1 & (MAY_BE_REF|MAY_BE_OBJECT|MAY_BE_RC1|MAY_BE_RCN))|(add_rc ? (MAY_BE_RC1|MAY_BE_RCN) : 0);
 				UPDATE_SSA_TYPE(tmp, ssa_op->op1_def);
 				COPY_SSA_OBJ_TYPE(ssa_op->op1_use, ssa_op->op1_def);
diff --git a/Zend/tests/oss_fuzz_66519.phpt b/Zend/tests/oss_fuzz_66519.phpt
@@ -0,0 +1,14 @@
+--TEST--
+oss-fuzz #66519: Fix RC inference narrowing for ASSIGN_OBJ
+--FILE--
+<?php
+function test() {
+    for (;;) {
+        [] ?? $oj->y = y;
+        $oj = new stdClass;
+    }
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===
