From b5abd77bdffb7c87dfacc6d0392ef5b567ea1f7a Mon Sep 17 00:00:00 2001 From: Arshid Date: Wed, 4 Feb 2026 02:32:43 +0530 Subject: [PATCH 1/2] [skip ci] Remove unreachable code after zend_error_noreturn calls (GH-21122) --- Zend/zend_ast.c | 1 - Zend/zend_inheritance.c | 1 - ext/zend_test/test.c | 1 - 3 files changed, 3 deletions(-) diff --git a/Zend/zend_ast.c b/Zend/zend_ast.c index a6071d2284130..9d93c4d222518 100644 --- a/Zend/zend_ast.c +++ b/Zend/zend_ast.c @@ -1153,7 +1153,6 @@ static zend_result ZEND_FASTCALL zend_ast_evaluate_inner( if (args->children != 1 || args->child[0]->attr != ZEND_PLACEHOLDER_VARIADIC) { /* TODO: PFAs */ zend_error_noreturn(E_COMPILE_ERROR, "Constant expression contains invalid operations"); - return FAILURE; } switch (ast->kind) { diff --git a/Zend/zend_inheritance.c b/Zend/zend_inheritance.c index bd33515050c8d..bac92ccafc4fc 100644 --- a/Zend/zend_inheritance.c +++ b/Zend/zend_inheritance.c @@ -2263,7 +2263,6 @@ static void zend_do_implement_interfaces(zend_class_entry *ce, zend_class_entry if (UNEXPECTED(!(iface->ce_flags & ZEND_ACC_INTERFACE))) { efree(interfaces); zend_error_noreturn(E_ERROR, "%s cannot implement %s - it is not an interface", ZSTR_VAL(ce->name), ZSTR_VAL(iface->name)); - return; } for (uint32_t j = 0; j < num_interfaces; j++) { if (interfaces[j] == iface) { diff --git a/ext/zend_test/test.c b/ext/zend_test/test.c index 31a14f219acbf..d99c40bc72be5 100644 --- a/ext/zend_test/test.c +++ b/ext/zend_test/test.c @@ -493,7 +493,6 @@ static ZEND_FUNCTION(zend_call_method) ce = zend_lookup_class(Z_STR_P(class_or_object)); if (!ce) { zend_error_noreturn(E_ERROR, "Unknown class '%s'", Z_STRVAL_P(class_or_object)); - return; } } else { zend_argument_type_error(1, "must be of type object|string, %s given", zend_zval_value_name(class_or_object)); From 27d28eef1eb410a9e80e51b8ed6e1421284224a7 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Wed, 4 Feb 2026 01:47:01 +0100 Subject: [PATCH 2/2] Fix mistakenly allowed assignment to assignment through list operator (GH-21123) Fixes OSS-Fuzz #480111866 Introduced in GH-20628 --- Zend/tests/oss-fuzz-480111866.phpt | 10 ++++++++++ Zend/zend_compile.c | 18 +++++++++++------- 2 files changed, 21 insertions(+), 7 deletions(-) create mode 100644 Zend/tests/oss-fuzz-480111866.phpt diff --git a/Zend/tests/oss-fuzz-480111866.phpt b/Zend/tests/oss-fuzz-480111866.phpt new file mode 100644 index 0000000000000..ba956f0f9ac63 --- /dev/null +++ b/Zend/tests/oss-fuzz-480111866.phpt @@ -0,0 +1,10 @@ +--TEST-- +OSS-Fuzz #480111866: Assignment to assignment through list operator +--FILE-- + +--EXPECTF-- +Fatal error: Assignments can only happen to writable values in %s on line %d diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c index 688a50749a61d..23db72bb4fda1 100644 --- a/Zend/zend_compile.c +++ b/Zend/zend_compile.c @@ -2734,16 +2734,21 @@ void zend_emit_final_return(bool return_one) /* {{{ */ } /* }}} */ -static bool zend_propagate_list_refs(zend_ast *ast); - static inline bool zend_is_variable(const zend_ast *ast) /* {{{ */ { - if (ast->kind == ZEND_AST_VAR + return ast->kind == ZEND_AST_VAR || ast->kind == ZEND_AST_DIM || ast->kind == ZEND_AST_PROP || ast->kind == ZEND_AST_NULLSAFE_PROP - || ast->kind == ZEND_AST_STATIC_PROP - || ast->kind == ZEND_AST_ASSIGN_REF) { + || ast->kind == ZEND_AST_STATIC_PROP; +} +/* }}} */ + +static bool zend_propagate_list_refs(zend_ast *ast); + +static inline bool zend_is_passable_by_ref(const zend_ast *ast) +{ + if (zend_is_variable(ast) || ast->kind == ZEND_AST_ASSIGN_REF) { return true; } if (ast->kind == ZEND_AST_ASSIGN @@ -2753,7 +2758,6 @@ static inline bool zend_is_variable(const zend_ast *ast) /* {{{ */ } return false; } -/* }}} */ static inline bool zend_is_call(const zend_ast *ast) /* {{{ */ { @@ -3875,7 +3879,7 @@ static uint32_t zend_compile_args( opcode = ZEND_SEND_VAR_NO_REF_EX; } } - } else if (zend_is_variable(arg) && !zend_ast_is_short_circuited(arg)) { + } else if (zend_is_passable_by_ref(arg) && !zend_ast_is_short_circuited(arg)) { if (fbc && arg_num != (uint32_t) -1) { if (ARG_SHOULD_BE_SENT_BY_REF(fbc, arg_num)) { zend_compile_var(&arg_node, arg, BP_VAR_W, true);