From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 27 Jul 2020 08:27:26 +0000 (+0200)
Subject: Fix null pointer deref in compile_return()
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=08e6c209550a268500bbdef48c1b19494272e6e8;p=php

Fix null pointer deref in compile_return()

Fixes oss-fuzz #24387.
---

diff --git a/Zend/tests/return_ref_none.phpt b/Zend/tests/return_ref_none.phpt
new file mode 100644
index 0000000000..39c41d032b
--- /dev/null
+++ b/Zend/tests/return_ref_none.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Argument-less return from by-ref function
+--FILE--
+<?php
+
+function &test() {
+    return;
+}
+
+$ref =& test();
+
+?>
+--EXPECTF--
+Notice: Only variable references should be returned by reference in %s on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 51849a2f94..28abcf272d 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -4631,14 +4631,14 @@ void zend_compile_return(zend_ast *ast) /* {{{ */
 		by_ref = 0;
 	}
 
-	if (by_ref && zend_ast_is_short_circuited(expr_ast)) {
-		zend_error_noreturn(E_COMPILE_ERROR, "Cannot take reference of a nullsafe chain");
-	}
-
 	if (!expr_ast) {
 		expr_node.op_type = IS_CONST;
 		ZVAL_NULL(&expr_node.u.constant);
 	} else if (by_ref && zend_is_variable(expr_ast)) {
+		if (zend_ast_is_short_circuited(expr_ast)) {
+			zend_error_noreturn(E_COMPILE_ERROR, "Cannot take reference of a nullsafe chain");
+		}
+
 		zend_compile_var(&expr_node, expr_ast, BP_VAR_W, 1);
 	} else {
 		zend_compile_expr(&expr_node, expr_ast);