Fix assumption about property guard hash value

The "member" string here does not necessarily have a pre-calculated
hash value. In particular this is not the case if the class has no
properties.

Fixes oss-fuzz #25546.

diff --git a/Zend/tests/property_guard_hash_val.phpt b/Zend/tests/property_guard_hash_val.phpt
new file mode 100644 (file)
index 0000000..9215523
--- /dev/null
+++ b/Zend/tests/property_guard_hash_val.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Test property guard hash value assumption
+--FILE--
+<?php
+class Test {
+    function __get($var) {
+        return $this->{$var.''};
+    }
+}
+
+$test = new Test;
+var_dump($test->x);
+?>
+--EXPECTF--
+Notice: Undefined property: Test::$x in %s on line %d
+NULL

diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index a0a5e48dee3f75b788845775e1a7f055af3bf8bc..4dcfadc239e93d1d1361c8c85ec2ea1481ce265e 100644 (file)
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -619,8 +619,8 @@ ZEND_API uint32_t *zend_get_property_guard(zend_object *zobj, zend_string *membe
        if (EXPECTED(Z_TYPE_P(zv) == IS_STRING)) {
                zend_string *str = Z_STR_P(zv);
                if (EXPECTED(str == member) ||
-                    /* hash values are always pred-calculated here */
-                   (EXPECTED(ZSTR_H(str) == ZSTR_H(member)) &&
+                    /* "str" always has a pre-calculated hash value here */
+                   (EXPECTED(ZSTR_H(str) == zend_string_hash_val(member)) &&
                     EXPECTED(zend_string_equal_content(str, member)))) {
                        return &Z_PROPERTY_GUARD_P(zv);
                } else if (EXPECTED(Z_PROPERTY_GUARD_P(zv) == 0)) {