Fix incorrect constant propagation for VERIFY_RETURN_TYPE

This fixes oss-fuzz #48104
2024-09-22 18:37:25 +00:00 · 2022-06-20 11:30:07 +03:00 · 2022-06-20 11:30:07 +03:00 · fa75bd0785
commit fa75bd0785
parent 3d4a55fea1
2 changed files with 24 additions and 1 deletions
--- a/Zend/Optimizer/sccp.c
+++ b/Zend/Optimizer/sccp.c
@ -1721,7 +1721,7 @@ static zval *value_from_type_and_range(sccp_ctx *ctx, int var_num, zval *tmp) {
 	}

 	if (!(info->type & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_NULL))) {
-		if (ssa->vars[var_num].definition >= 0 
+		if (ssa->vars[var_num].definition >= 0
 		 && ctx->scdf.op_array->opcodes[ssa->vars[var_num].definition].opcode == ZEND_VERIFY_RETURN_TYPE) {
 			return NULL;
 		}
@ -1729,10 +1729,18 @@ static zval *value_from_type_and_range(sccp_ctx *ctx, int var_num, zval *tmp) {
 		return tmp;
 	}
 	if (!(info->type & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_FALSE))) {
+		if (ssa->vars[var_num].definition >= 0
+		 && ctx->scdf.op_array->opcodes[ssa->vars[var_num].definition].opcode == ZEND_VERIFY_RETURN_TYPE) {
+			return NULL;
+		}
 		ZVAL_FALSE(tmp);
 		return tmp;
 	}
 	if (!(info->type & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_TRUE))) {
+		if (ssa->vars[var_num].definition >= 0
+		 && ctx->scdf.op_array->opcodes[ssa->vars[var_num].definition].opcode == ZEND_VERIFY_RETURN_TYPE) {
+			return NULL;
+		}
 		ZVAL_TRUE(tmp);
 		return tmp;
 	}
--- a/ext/opcache/tests/opt/sccp_041.phpt
+++ b/ext/opcache/tests/opt/sccp_041.phpt
@ -0,0 +1,15 @@
+--TEST--
+SCCP 041: Incorrect constant propagation for VERIFY_RETURN_TYPE
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--FILE--
+<?php
+function():false {
+    return y;
+}
+?>
+DONE
+--EXPECT--
+DONE