From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 12 Oct 2020 09:22:39 +0000 (+0200)
Subject: Detect self-addition of array more accurately
X-Git-Tag: php-7.3.24RC1~5
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3c4dd73c023e4aea317f774e045fdccc644f24b5;p=php

Detect self-addition of array more accurately

While the zvals may be different, they may still point to the
same array.

Fixes oss-fuzz #26245.
---

diff --git a/Zend/tests/array_self_add_globals.phpt b/Zend/tests/array_self_add_globals.phpt
new file mode 100644
index 0000000000..ebad7c3fdf
--- /dev/null
+++ b/Zend/tests/array_self_add_globals.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Add $GLOBALS to itself
+--FILE--
+<?php
+$GLOBALS += $GLOBALS;
+$x = $GLOBALS + $GLOBALS;
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index 45cdc1b11c..7338e471b6 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -903,7 +903,7 @@ try_again:
 
 static zend_never_inline void ZEND_FASTCALL add_function_array(zval *result, zval *op1, zval *op2) /* {{{ */
 {
-	if ((result == op1) && (result == op2)) {
+	if (result == op1 && Z_ARR_P(op1) == Z_ARR_P(op2)) {
 		/* $a += $a */
 		return;
 	}