From 2bbf2a91aacd59d3511b5e22cac064d708140caa Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 15 Sep 2020 15:25:22 +0200
Subject: [PATCH] Fix assumption about property guard hash value

The "member" string here does not necessarily have a pre-calculated
hash value. In particular this is not the case if the class has no
properties.

Fixes oss-fuzz #25546.
---
 Zend/tests/property_guard_hash_val.phpt | 16 ++++++++++++++++
 Zend/zend_object_handlers.c             |  4 ++--
 2 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 Zend/tests/property_guard_hash_val.phpt

diff --git a/Zend/tests/property_guard_hash_val.phpt b/Zend/tests/property_guard_hash_val.phpt
new file mode 100644
index 0000000000..9215523064
--- /dev/null
+++ b/Zend/tests/property_guard_hash_val.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Test property guard hash value assumption
+--FILE--
+<?php
+class Test {
+    function __get($var) {
+        return $this->{$var.''};
+    }
+}
+
+$test = new Test;
+var_dump($test->x);
+?>
+--EXPECTF--
+Notice: Undefined property: Test::$x in %s on line %d
+NULL
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index a0a5e48dee..4dcfadc239 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -619,8 +619,8 @@ ZEND_API uint32_t *zend_get_property_guard(zend_object *zobj, zend_string *membe
 	if (EXPECTED(Z_TYPE_P(zv) == IS_STRING)) {
 		zend_string *str = Z_STR_P(zv);
 		if (EXPECTED(str == member) ||
-		     /* hash values are always pred-calculated here */
-		    (EXPECTED(ZSTR_H(str) == ZSTR_H(member)) &&
+		     /* "str" always has a pre-calculated hash value here */
+		    (EXPECTED(ZSTR_H(str) == zend_string_hash_val(member)) &&
 		     EXPECTED(zend_string_equal_content(str, member)))) {
 			return &Z_PROPERTY_GUARD_P(zv);
 		} else if (EXPECTED(Z_PROPERTY_GUARD_P(zv) == 0)) {
-- 
2.40.0