diff --git a/Zend/tests/property_hooks/oss_fuzz_403308724.phpt b/Zend/tests/property_hooks/oss_fuzz_403308724.phpt new file mode 100644 index 0000000000000..b27b08dd703b6 --- /dev/null +++ b/Zend/tests/property_hooks/oss_fuzz_403308724.phpt @@ -0,0 +1,30 @@ +--TEST-- +OSS-Fuzz #403308724 +--FILE-- + 1; } +} + +class Test extends Base { + public $y { + get => [new class { + public $inner {get => __PROPERTY__;} + }, parent::$y::get()]; + } +} + +$test = new Test; +$y = $test->y; +var_dump($y); +var_dump($y[0]->inner); +?> +--EXPECT-- +array(2) { + [0]=> + object(class@anonymous)#2 (0) { + } + [1]=> + int(1) +} +string(5) "inner" diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c index e5df485919942..cd0ac6eb07b9c 100644 --- a/Zend/zend_compile.c +++ b/Zend/zend_compile.c @@ -8686,7 +8686,7 @@ static void zend_compile_prop_decl(zend_ast *ast, zend_ast *type_ast, uint32_t f zend_type type = ZEND_TYPE_INIT_NONE(0); flags |= zend_property_is_virtual(ce, name, hooks_ast, flags) ? ZEND_ACC_VIRTUAL : 0; - ZEND_ASSERT(!CG(context).active_property_info_name); + zend_string *old_active_property_info_name = CG(context).active_property_info_name; CG(context).active_property_info_name = name; if (!hooks_ast) { @@ -8782,7 +8782,7 @@ static void zend_compile_prop_decl(zend_ast *ast, zend_ast *type_ast, uint32_t f zend_compile_attributes(&info->attributes, attr_ast, 0, ZEND_ATTRIBUTE_TARGET_PROPERTY, 0); } - CG(context).active_property_info_name = NULL; + CG(context).active_property_info_name = old_active_property_info_name; } } /* }}} */ diff --git a/ext/mysqli/tests/fetch/mysqli_fetch_all_data_types_variation.phpt b/ext/mysqli/tests/fetch/mysqli_fetch_all_data_types_variation.phpt index 69fc427001fd0..594980ec0f829 100644 --- a/ext/mysqli/tests/fetch/mysqli_fetch_all_data_types_variation.phpt +++ b/ext/mysqli/tests/fetch/mysqli_fetch_all_data_types_variation.phpt @@ -122,22 +122,27 @@ func_mysqli_fetch_all($link, $engine, "DECIMAL(10,2)", "99999999.99", "99999999. func_mysqli_fetch_all($link, $engine, "DECIMAL(10,2)", NULL, NULL, 400); // don't care about date() strict TZ warnings... -func_mysqli_fetch_all($link, $engine, "DATE", @date('Y-m-d'), @date('Y-m-d'), 410); -func_mysqli_fetch_all($link, $engine, "DATE NOT NULL", @date('Y-m-d'), @date('Y-m-d'), 420); +$date = @date('Y-m-d'); +$datetime = @date('Y-m-d H:i:s'); +$time = @date('H:i:s'); +$year = @date('Y'); + +func_mysqli_fetch_all($link, $engine, "DATE", $date, $date, 410); +func_mysqli_fetch_all($link, $engine, "DATE NOT NULL", $date, $date, 420); func_mysqli_fetch_all($link, $engine, "DATE", NULL, NULL, 430); -func_mysqli_fetch_all($link, $engine, "DATETIME", @date('Y-m-d H:i:s'), @date('Y-m-d H:i:s'), 440); -func_mysqli_fetch_all($link, $engine, "DATETIME NOT NULL", @date('Y-m-d H:i:s'), @date('Y-m-d H:i:s'), 450); +func_mysqli_fetch_all($link, $engine, "DATETIME", $datetime, $datetime, 440); +func_mysqli_fetch_all($link, $engine, "DATETIME NOT NULL", $datetime, $datetime, 450); func_mysqli_fetch_all($link, $engine, "DATETIME", NULL, NULL, 460); -func_mysqli_fetch_all($link, $engine, "TIMESTAMP", @date('Y-m-d H:i:s'), @date('Y-m-d H:i:s'), 470); +func_mysqli_fetch_all($link, $engine, "TIMESTAMP", $datetime, $datetime, 470); -func_mysqli_fetch_all($link, $engine, "TIME", @date('H:i:s'), @date('H:i:s'), 480); -func_mysqli_fetch_all($link, $engine, "TIME NOT NULL", @date('H:i:s'), @date('H:i:s'), 490); +func_mysqli_fetch_all($link, $engine, "TIME", $time, $time, 480); +func_mysqli_fetch_all($link, $engine, "TIME NOT NULL", $time, $time, 490); func_mysqli_fetch_all($link, $engine, "TIME", NULL, NULL, 500); -func_mysqli_fetch_all($link, $engine, "YEAR", @date('Y'), @date('Y'), 510); -func_mysqli_fetch_all($link, $engine, "YEAR NOT NULL", @date('Y'), @date('Y'), 520); +func_mysqli_fetch_all($link, $engine, "YEAR", $year, $year, 510); +func_mysqli_fetch_all($link, $engine, "YEAR NOT NULL", $year, $year, 520); func_mysqli_fetch_all($link, $engine, "YEAR", NULL, NULL, 530); $string255 = func_mysqli_fetch_array_make_string(255); diff --git a/sapi/fuzzer/fuzzer-json.c b/sapi/fuzzer/fuzzer-json.c index 930f136a47236..78c8505c2f1dc 100644 --- a/sapi/fuzzer/fuzzer-json.c +++ b/sapi/fuzzer/fuzzer-json.c @@ -15,8 +15,6 @@ +----------------------------------------------------------------------+ */ - - #include "fuzzer.h" #include "Zend/zend.h" @@ -31,14 +29,15 @@ #include "ext/json/php_json_parser.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - char *data = malloc(Size+1); - memcpy(data, Data, Size); - data[Size] = '\0'; - if (fuzzer_request_startup() == FAILURE) { + if (fuzzer_request_startup() == FAILURE){ return 0; } + char *data = malloc(Size + 1); + memcpy(data, Data, Size); + data[Size] = '\0'; + for (int option = 0; option <=1; ++option) { zval result; php_json_parser parser; diff --git a/sapi/fuzzer/fuzzer-mbregex.c b/sapi/fuzzer/fuzzer-mbregex.c index 451b19d99e310..f96e593ba8d24 100644 --- a/sapi/fuzzer/fuzzer-mbregex.c +++ b/sapi/fuzzer/fuzzer-mbregex.c @@ -30,15 +30,16 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { #ifdef HAVE_MBREGEX - char *args[2]; - char *data = malloc(Size+1); - memcpy(data, Data, Size); - data[Size] = '\0'; if (fuzzer_request_startup() == FAILURE) { return 0; } + char *args[2]; + char *data = malloc(Size+1); + memcpy(data, Data, Size); + data[Size] = '\0'; + fuzzer_setup_dummy_frame(); args[0] = data; diff --git a/sapi/fuzzer/fuzzer-unserialize.c b/sapi/fuzzer/fuzzer-unserialize.c index 023a19fbd08d3..8a889883a97d8 100644 --- a/sapi/fuzzer/fuzzer-unserialize.c +++ b/sapi/fuzzer/fuzzer-unserialize.c @@ -30,14 +30,15 @@ #include "ext/standard/php_var.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - unsigned char *orig_data = malloc(Size+1); - memcpy(orig_data, Data, Size); - orig_data[Size] = '\0'; if (fuzzer_request_startup() == FAILURE) { return 0; } + unsigned char *orig_data = malloc(Size+1); + memcpy(orig_data, Data, Size); + orig_data[Size] = '\0'; + fuzzer_setup_dummy_frame(); { diff --git a/sapi/fuzzer/fuzzer-unserializehash.c b/sapi/fuzzer/fuzzer-unserializehash.c index 90d874aba88cc..447e95d0ee815 100644 --- a/sapi/fuzzer/fuzzer-unserializehash.c +++ b/sapi/fuzzer/fuzzer-unserializehash.c @@ -34,15 +34,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) { } ++Start; + if (fuzzer_request_startup() == FAILURE) { + return 0; + } + size_t Size = (Data + FullSize) - Start; unsigned char *orig_data = malloc(Size+1); memcpy(orig_data, Start, Size); orig_data[Size] = '\0'; - if (fuzzer_request_startup() == FAILURE) { - return 0; - } - fuzzer_setup_dummy_frame(); {