From a07c1f56aac1c0f6c8334760009b678cbf9d6138 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 2 Sep 2020 10:13:42 +0200
Subject: [PATCH] Fix infinite loop on string offset during by-ref list assign

There is a deeper underlying issue here, in that the opcodes violate
VM write-fetch safety, but let's fix the infinite loop first.

This fixes oss-fuzz #25352.
---
 .../list_assign_ref_string_offset_error.phpt     | 16 ++++++++++++++++
 Zend/zend_execute.c                              |  1 +
 2 files changed, 17 insertions(+)
 create mode 100644 Zend/tests/list_assign_ref_string_offset_error.phpt

diff --git a/Zend/tests/list_assign_ref_string_offset_error.phpt b/Zend/tests/list_assign_ref_string_offset_error.phpt
new file mode 100644
index 0000000000..c4e99d01a2
--- /dev/null
+++ b/Zend/tests/list_assign_ref_string_offset_error.phpt
@@ -0,0 +1,16 @@
+--TEST--
+String offset error during list() by-ref assignment
+--FILE--
+<?php
+
+$a = [0];
+$v = 'b';
+$i = 0;
+list(&$a[$i++]) = $v;
+
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Cannot create references to/from string offsets in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 0eb6639b2e..9a891273bc 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1329,6 +1329,7 @@ static zend_never_inline ZEND_COLD void zend_wrong_string_offset(EXECUTE_DATA_D)
 					msg = "Cannot create references to/from string offsets";
 					break;
 				}
+				opline++;
 			}
 			break;
 		EMPTY_SWITCH_DEFAULT_CASE();
-- 
2.40.0