From a3a3964497922bcd74282685218d90acea69c296 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sun, 27 Aug 2023 17:46:10 +0200
Subject: [PATCH] Fix oss-fuzz #61712: assertion failure with error handler
 during binary op

Because the error handler is invoked after the property is updated,
the error handler has the opportunity to remove it before the property
is returned.

Switching the order around fixes this issue. The comments mention that
the current ordering prevents overwriting the EG(std_property_info)
field in the error handler. EG(std_property_info) no longer exists as it
was removed in 7471c217. Back then a global was used to store the
returned property info, but as this is no longer the case there is no
longer a need to protect against overwriting a global.

Closes GH-12062.
---
 NEWS                           |  2 ++
 Zend/tests/oss_fuzz_61712.phpt | 20 ++++++++++++++++++++
 Zend/zend_object_handlers.c    |  4 +---
 3 files changed, 23 insertions(+), 3 deletions(-)
 create mode 100644 Zend/tests/oss_fuzz_61712.phpt

diff --git a/NEWS b/NEWS
index c46f675571b..9ae7df82579 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,8 @@ PHP                                                                        NEWS
     (Jakub Zelenka)
   . Fixed bug GH-11790 (On riscv64 require libatomic if actually needed).
     (Jeremie Courreges-Anglas)
+  . Fixed oss-fuzz #61712 (assertion failure with error handler during binary
+    op). (nielsdos)
 
 - DOM:
   . Fixed GH-11952 (Confusing warning when blocking entity loading via
diff --git a/Zend/tests/oss_fuzz_61712.phpt b/Zend/tests/oss_fuzz_61712.phpt
new file mode 100644
index 00000000000..5e3aa9060fd
--- /dev/null
+++ b/Zend/tests/oss_fuzz_61712.phpt
@@ -0,0 +1,20 @@
+--TEST--
+OSS-Fuzz #61712 (assertion failure with error handler during binary op)
+--FILE--
+<?php
+#[AllowDynamicProperties]
+class C {
+    function error($_, $msg) {
+        echo $msg, "\n";
+        unset($this->a);
+    }
+}
+
+$c = new C;
+set_error_handler([$c, 'error']);
+$c->a %= 10;
+var_dump($c->a);
+?>
+--EXPECT--
+Undefined property: C::$a
+int(0)
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index 8985bb9edb5..1b38e8e4113 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -1160,12 +1160,10 @@ ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *zobj, zend_string *nam
 			if (UNEXPECTED(!zobj->properties)) {
 				rebuild_object_properties(zobj);
 			}
-			retval = zend_hash_update(zobj->properties, name, &EG(uninitialized_zval));
-			/* Notice is thrown after creation of the property, to avoid EG(std_property_info)
-			 * being overwritten in an error handler. */
 			if (UNEXPECTED(type == BP_VAR_RW || type == BP_VAR_R)) {
 				zend_error(E_WARNING, "Undefined property: %s::$%s", ZSTR_VAL(zobj->ce->name), ZSTR_VAL(name));
 			}
+			retval = zend_hash_update(zobj->properties, name, &EG(uninitialized_zval));
 		}
 	} else if (zobj->ce->__get == NULL) {
 		retval = &EG(error_zval);