Fix out of bounds read in sccp

diff --git a/ext/opcache/Optimizer/sccp.c b/ext/opcache/Optimizer/sccp.c
index ab202d2ead08d1165a78388aecd828a025d4c07c..0f5f1d18e1687fea38f037d5ab0b242d45ab7b7e 100644 (file)
--- a/ext/opcache/Optimizer/sccp.c
+++ b/ext/opcache/Optimizer/sccp.c
@@ -2329,6 +2329,7 @@ static int try_remove_definition(sccp_ctx *ctx, int var_num, zend_ssa_var *var,
                                if (opline->opcode == ZEND_DO_ICALL) {
                                        removed_ops = remove_call(ctx, opline, ssa_op);
                                } else if (opline->opcode == ZEND_TYPE_CHECK
+                                               && ssa_op->op1_use >= 0
                                                && !value_known(&ctx->values[ssa_op->op1_use])) {
                                        /* For TYPE_CHECK we may compute the result value without knowing the
                                         * operand, based on type inference information. Make sure the operand is