JIT: Fix memory leak

dstogov · dstogov · commit 7051dc337295 · 2022-03-21T12:50:30.000+03:00
Fixes oss-fuzz #45658
diff --git a/ext/opcache/jit/zend_jit_helpers.c b/ext/opcache/jit/zend_jit_helpers.c
@@ -860,6 +860,10 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_w_helper(zend_array *ht, zval *dim
 						ZVAL_NULL(EX_VAR(opline->result.var));
 					}
 				}
+				if (opline->opcode == ZEND_ASSIGN_DIM
+				 && ((opline+1)->op1_type & (IS_VAR | IS_TMP_VAR))) {
+					zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var));
+				}
 				return NULL;
 			}
 			/* break missing intentionally */
diff --git a/ext/opcache/tests/jit/assign_dim_014.phpt b/ext/opcache/tests/jit/assign_dim_014.phpt
@@ -0,0 +1,19 @@
+--TEST--
+JIT ASSIGN_DIM: 014
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+set_error_handler(function($code, $err) {
+    echo "Error: $err\n";
+    $GLOBALS['a'] = null;
+});
+$a[$y] = function(){};
+?>
+DONE
+--EXPECT--
+Error: Undefined variable $y
+DONE

Original file line number	Diff line number	Diff line change
`@@ -860,6 +860,10 @@ static zval* ZEND_FASTCALL zend_jit_fetch_dim_w_helper(zend_array ht, zval dim`
`860`	`860`	`ZVAL_NULL(EX_VAR(opline->result.var));`
`861`	`861`	`}`
`862`	`862`	`}`
	`863`	`+ if (opline->opcode == ZEND_ASSIGN_DIM`
	`864`	`+ && ((opline+1)->op1_type & (IS_VAR \| IS_TMP_VAR))) {`
	`865`	`+ zval_ptr_dtor_nogc(EX_VAR((opline+1)->op1.var));`
	`866`	`+ }`
`863`	`867`	`return NULL;`
`864`	`868`	`}`
`865`	`869`	`/* break missing intentionally */`