Fix FETCH_OBJ_UNSET IS_UNDEF result

iluuu1994 · iluuu1994 · commit 8b4ef3a09f07 · 2026-01-16T19:27:21.000+01:00
UNSET_OBJ et al. do not expect to find IS_UNDEF results for IS_INDIRECT vars. To solve this, return IS_NULL from FETCH_OBJ_UNSET when properties are uninitialized. Do the same for FETCH_STATIC_PROP_IS, as we're otherwise copying IS_UNDEF into the VAR result, which is not a valid value for VAR. Fixes OSS-Fuzz #429429090 Closes phpGH-19160
diff --git a/NEWS b/NEWS
@@ -8,6 +8,8 @@ PHP                                                                        NEWS
   . It is now possible to use reference assign on WeakMap without the key
     needing to be present beforehand. (ndossche)
   . Added `clamp()`. (kylekatarnls, thinkverse)
+  . Fix OSS-Fuzz #429429090 (Failed assertion on unset() with uninitialized
+    container). (ilutov)
 
 - Date:
   . Update timelib to 2022.16. (Derick)
diff --git a/Zend/Optimizer/zend_inference.c b/Zend/Optimizer/zend_inference.c
@@ -3840,7 +3840,7 @@ static zend_always_inline zend_result _zend_update_type_info(
 					tmp &= ~MAY_BE_RC1;
 				}
 				if (opline->opcode == ZEND_FETCH_STATIC_PROP_IS) {
-					tmp |= MAY_BE_UNDEF;
+					tmp |= MAY_BE_NULL;
 				}
 			}
 			UPDATE_SSA_TYPE(tmp, ssa_op->result_def);
diff --git a/Zend/tests/oss_fuzz_429429090.phpt b/Zend/tests/oss_fuzz_429429090.phpt
@@ -0,0 +1,20 @@
+--TEST--
+OSS-Fuzz #429429090: FETCH_OBJ_UNSET IS_UNDEF result
+--FILE--
+<?php
+
+class C {
+    public D $x;
+    static D $y;
+}
+
+$c = new C();
+isset($c->x[0]->prop);
+unset($c->x[0]->prop);
+isset(C::$y[0]->prop);
+unset(C::$y[0]->prop);
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -3626,6 +3626,9 @@ static zend_always_inline void zend_fetch_property_address(zval *result, zval *c
 	} else if (UNEXPECTED(Z_ISERROR_P(ptr))) {
 		ZVAL_ERROR(result);
 		goto end;
+	} else if (type == BP_VAR_UNSET && UNEXPECTED(Z_TYPE_P(ptr) == IS_UNDEF)) {
+		ZVAL_NULL(result);
+		goto end;
 	}
 
 	ZVAL_INDIRECT(result, ptr);
@@ -3777,6 +3780,11 @@ static zend_never_inline zval* zend_fetch_static_property_address_ex(zend_proper
 		return NULL;
 	}
 
+	if (UNEXPECTED(Z_TYPE_P(result) == IS_UNDEF)
+	 && (fetch_type == BP_VAR_IS || fetch_type == BP_VAR_UNSET)) {
+		return NULL;
+	 }
+
 	*prop_info = property_info;
 
 	if (EXPECTED(op1_type == IS_CONST)
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -1866,7 +1866,7 @@ ZEND_VM_INLINE_HELPER(zend_fetch_static_prop_helper, ANY, ANY, int type)
 		&prop_info, opline->extended_value & ~ZEND_FETCH_OBJ_FLAGS, type,
 		type == BP_VAR_W ? opline->extended_value : 0 OPLINE_CC EXECUTE_DATA_CC);
 	if (UNEXPECTED(!prop)) {
-		ZEND_ASSERT(EG(exception) || (type == BP_VAR_IS));
+		ZEND_ASSERT(EG(exception) || (type == BP_VAR_IS) || (type == BP_VAR_UNSET));
 		prop = &EG(uninitialized_zval);
 	} else if (UNEXPECTED(prop_info->flags & ZEND_ACC_PPP_SET_MASK)
 	 && (type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET)
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h

Original file line number	Diff line number	Diff line change
`@@ -3840,7 +3840,7 @@ static zend_always_inline zend_result _zend_update_type_info(`
`3840`	`3840`	`tmp &= ~MAY_BE_RC1;`
`3841`	`3841`	`}`
`3842`	`3842`	`if (opline->opcode == ZEND_FETCH_STATIC_PROP_IS) {`
`3843`		`- tmp \|= MAY_BE_UNDEF;`
	`3843`	`+ tmp \|= MAY_BE_NULL;`
`3844`	`3844`	`}`
`3845`	`3845`	`}`
`3846`	`3846`	`UPDATE_SSA_TYPE(tmp, ssa_op->result_def);`