Fix undef var exception handling in JMP_NULL

We need to initialize the result variable in the exceptional
case as well.

Fixes oss-fuzz #25526.

diff --git a/Zend/tests/nullsafe_operator/039.phpt b/Zend/tests/nullsafe_operator/039.phpt
new file mode 100644 (file)
index 0000000..92983c1
--- /dev/null
+++ b/Zend/tests/nullsafe_operator/039.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Handling of undef variable exception in JMP_NULL
+--FILE--
+<?php
+
+set_error_handler(function($_, $m) {
+    throw new Exception($m);
+});
+
+try {
+    $foo?->foo;
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Undefined variable $foo

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 4e9a2bd467fb371f1053b867f235cb4c115aad58..02a5e2c96348b4d16cb398fcf2a23d1cbe1c8e8f 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -7376,6 +7376,7 @@ ZEND_VM_HOT_NOCONST_HANDLER(198, ZEND_JMP_NULL, CONST|TMPVARCV, JMP_ADDR)
                zval *result = EX_VAR(opline->result.var);
 
                if (EXPECTED(opline->extended_value == ZEND_SHORT_CIRCUITING_CHAIN_EXPR)) {
+                       ZVAL_NULL(result);
                        if (UNEXPECTED(Z_TYPE_INFO_P(val) == IS_UNDEF)) {
                                SAVE_OPLINE();
                                ZVAL_UNDEFINED_OP1();
@@ -7383,8 +7384,6 @@ ZEND_VM_HOT_NOCONST_HANDLER(198, ZEND_JMP_NULL, CONST|TMPVARCV, JMP_ADDR)
                                        HANDLE_EXCEPTION();
                                }
                        }
-
-                       ZVAL_NULL(result);
                } else if (opline->extended_value == ZEND_SHORT_CIRCUITING_CHAIN_ISSET) {
                        ZVAL_FALSE(result);
                } else {

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 27f18240508c284dbaf1b2f44d5139ceb3f9a158..e03712f86828cf4da138a8afe2fc395442ed9262 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -5279,6 +5279,7 @@ static ZEND_VM_COLD ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_JMP_NULL_SPEC_CON
                zval *result = EX_VAR(opline->result.var);
 
                if (EXPECTED(opline->extended_value == ZEND_SHORT_CIRCUITING_CHAIN_EXPR)) {
+                       ZVAL_NULL(result);
                        if (UNEXPECTED(Z_TYPE_INFO_P(val) == IS_UNDEF)) {
                                SAVE_OPLINE();
                                ZVAL_UNDEFINED_OP1();
@@ -5286,8 +5287,6 @@ static ZEND_VM_COLD ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_JMP_NULL_SPEC_CON
                                        HANDLE_EXCEPTION();
                                }
                        }
-
-                       ZVAL_NULL(result);
                } else if (opline->extended_value == ZEND_SHORT_CIRCUITING_CHAIN_ISSET) {
                        ZVAL_FALSE(result);
                } else {
@@ -12047,6 +12046,7 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_JMP_NULL_SPEC_TMPV
                zval *result = EX_VAR(opline->result.var);
 
                if (EXPECTED(opline->extended_value == ZEND_SHORT_CIRCUITING_CHAIN_EXPR)) {
+                       ZVAL_NULL(result);
                        if (UNEXPECTED(Z_TYPE_INFO_P(val) == IS_UNDEF)) {
                                SAVE_OPLINE();
                                ZVAL_UNDEFINED_OP1();
@@ -12054,8 +12054,6 @@ static ZEND_VM_HOT ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_JMP_NULL_SPEC_TMPV
                                        HANDLE_EXCEPTION();
                                }
                        }
-
-                       ZVAL_NULL(result);
                } else if (opline->extended_value == ZEND_SHORT_CIRCUITING_CHAIN_ISSET) {
                        ZVAL_FALSE(result);
                } else {