Fix OSS-Fuzz #454273637: UAF with printf optimization and const output (php#20261)

ndossche · web-flow · commit 09c39a8fd9e9 · 2025-10-23T08:23:55.000+02:00
Note that ZEND_COPY_TMP isn't even valid for CONSTs, and we would need
to add a ref even if it were, so just add special handling instead to
simplify it.
diff --git a/Zend/tests/oss_fuzz_454273637.phpt b/Zend/tests/oss_fuzz_454273637.phpt
@@ -0,0 +1,8 @@
+--TEST--
+OSS-Fuzz #454273637 (UAF with printf optimization and const output)
+--FILE--
+<?php
+printf('%%');
+?>
+--EXPECT--
+%
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
@@ -5009,9 +5009,17 @@ static zend_result zend_compile_func_printf(znode *result, zend_ast_list *args)
 	 * pass in the Zend Optimizer if the result of the printf() is in fact
 	 * unused */
 	znode copy;
-	zend_emit_op_tmp(&copy, ZEND_COPY_TMP, &rope_result, NULL);
-	zend_emit_op(NULL, ZEND_ECHO, &rope_result, NULL);
-	zend_emit_op_tmp(result, ZEND_STRLEN, &copy, NULL);
+	if (rope_result.op_type != IS_CONST) {
+		/* Note: ZEND_COPY_TMP is only valid for TMPVAR. */
+		ZEND_ASSERT(rope_result.op_type == IS_TMP_VAR);
+		zend_emit_op_tmp(&copy, ZEND_COPY_TMP, &rope_result, NULL);
+		zend_emit_op(NULL, ZEND_ECHO, &rope_result, NULL);
+		zend_emit_op_tmp(result, ZEND_STRLEN, &copy, NULL);
+	} else {
+		zend_emit_op(NULL, ZEND_ECHO, &rope_result, NULL);
+		result->op_type = IS_CONST;
+		ZVAL_LONG(&result->u.constant, Z_STRLEN(rope_result.u.constant));
+	}
 
 	return SUCCESS;
 }
