From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 28 Jul 2020 07:48:13 +0000 (+0200)
Subject: Fix use-after-free when nullsafe used with constant LHS
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5303bcdd32e8171399c2c60bf431e5304a66c39a;p=php

Fix use-after-free when nullsafe used with constant LHS

Fixes oss-fuzz #24436.
---

diff --git a/Zend/tests/nullsafe_operator/029.phpt b/Zend/tests/nullsafe_operator/029.phpt
new file mode 100644
index 0000000000..2aee652140
--- /dev/null
+++ b/Zend/tests/nullsafe_operator/029.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Refcount of constant LHS with nullsafe operator
+--FILE--
+<?php
+['']?->a;
+?>
+--EXPECTF--
+Warning: Attempt to read property "a" on array in %s on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 28abcf272d..ac9d549756 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -2308,6 +2308,9 @@ static void zend_short_circuiting_commit(uint32_t checkpoint, znode *result, zen
 static void zend_emit_jmp_null(znode *obj_node)
 {
 	uint32_t jmp_null_opnum = get_next_op_number();
+	if (obj_node->op_type == IS_CONST) {
+		Z_TRY_ADDREF(obj_node->u.constant);
+	}
 	zend_emit_op(NULL, ZEND_JMP_NULL, obj_node, NULL);
 	zend_stack_push(&CG(short_circuiting_opnums), &jmp_null_opnum);
 }