From a4c015b4b272b992379517e3b0e8d5c6c6fb213d Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 3 Aug 2020 10:16:04 +0200
Subject: [PATCH] Fix handling of nullsafe method in empty()

Fixes oss-fuzz #24627.
---
 Zend/tests/nullsafe_operator/030.phpt | 22 ++++++++++++++++++++++
 Zend/zend_compile.c                   |  2 +-
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/nullsafe_operator/030.phpt

diff --git a/Zend/tests/nullsafe_operator/030.phpt b/Zend/tests/nullsafe_operator/030.phpt
new file mode 100644
index 0000000000..7bff0b2524
--- /dev/null
+++ b/Zend/tests/nullsafe_operator/030.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Empty on nullsafe method
+--FILE--
+<?php
+
+class Test {
+    public function method($value) {
+        return $value;
+    }
+}
+
+$null = null;
+var_dump(empty($null?->method()));
+$test = new Test;
+var_dump(empty($test?->method(false)));
+var_dump(empty($test?->method(42)));
+
+?>
+--EXPECT--
+bool(true)
+bool(true)
+bool(false)
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 78b72de1a7..5e61760e90 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -8684,7 +8684,6 @@ void zend_compile_isset_or_empty(znode *result, zend_ast *ast) /* {{{ */
 
 	ZEND_ASSERT(ast->kind == ZEND_AST_ISSET || ast->kind == ZEND_AST_EMPTY);
 
-	zend_short_circuiting_mark_inner(var_ast);
 	if (!zend_is_variable(var_ast)) {
 		if (ast->kind == ZEND_AST_EMPTY) {
 			/* empty(expr) can be transformed to !expr */
@@ -8698,6 +8697,7 @@ void zend_compile_isset_or_empty(znode *result, zend_ast *ast) /* {{{ */
 		}
 	}
 
+	zend_short_circuiting_mark_inner(var_ast);
 	switch (var_ast->kind) {
 		case ZEND_AST_VAR:
 			if (is_this_fetch(var_ast)) {
-- 
2.50.1