Fix OSS-Fuzz #427814456

nielsdos · nielsdos · commit 91749844e629 · 2025-07-01T18:50:41.000+02:00
The first warning may trigger an error handler, destroying the operand and its string. So we need to protect the string in that case. Care was taken to avoid unnecessary refcounts and to avoid touching the hot code path. Closes GH-18951.
diff --git a/NEWS b/NEWS
@@ -8,6 +8,7 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction
     order). (Daniil Gentili)
+  . Fix OSS-Fuzz #427814456. (nielsdos)
 
 - Curl:
   . Fix memory leaks when returning refcounted value from curl callback.
diff --git a/Zend/tests/numeric_strings/oss_fuzz_427814456.phpt b/Zend/tests/numeric_strings/oss_fuzz_427814456.phpt
@@ -0,0 +1,11 @@
+--TEST--
+OSS-Fuzz #427814456
+--FILE--
+<?php
+set_error_handler(function(){unset($GLOBALS['x']);});
+$x = str_repeat("3e33", random_int(2, 2));
+$x & true;
+echo "Done\n";
+?>
+--EXPECT--
+Done
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
@@ -401,6 +401,7 @@ static zend_never_inline zend_long ZEND_FASTCALL zendi_try_get_long(const zval *
 				zend_long lval;
 				double dval;
 				bool trailing_data = false;
+				zend_string *op_str = NULL; /* protect against error handlers */
 
 				/* For BC reasons we allow errors so that we can warn on leading numeric string */
 				type = is_numeric_string_ex(Z_STRVAL_P(op), Z_STRLEN_P(op), &lval, &dval,
@@ -410,6 +411,9 @@ static zend_never_inline zend_long ZEND_FASTCALL zendi_try_get_long(const zval *
 					return 0;
 				}
 				if (UNEXPECTED(trailing_data)) {
+					if (type != IS_LONG) {
+						op_str = zend_string_copy(Z_STR_P(op));
+					}
 					zend_error(E_WARNING, "A non-numeric value encountered");
 					if (UNEXPECTED(EG(exception))) {
 						*failed = 1;
@@ -425,11 +429,12 @@ static zend_never_inline zend_long ZEND_FASTCALL zendi_try_get_long(const zval *
 					 */
 					lval = zend_dval_to_lval_cap(dval);
 					if (!zend_is_long_compatible(dval, lval)) {
-						zend_incompatible_string_to_long_error(Z_STR_P(op));
+						zend_incompatible_string_to_long_error(op_str ? op_str : Z_STR_P(op));
 						if (UNEXPECTED(EG(exception))) {
 							*failed = 1;
 						}
 					}
+					zend_tmp_string_release(op_str);
 					return lval;
 				}
 			}

Original file line number	Diff line number	Diff line change
`@@ -401,6 +401,7 @@ static zend_never_inline zend_long ZEND_FASTCALL zendi_try_get_long(const zval *`
`401`	`401`	`zend_long lval;`
`402`	`402`	`double dval;`
`403`	`403`	`bool trailing_data = false;`
	`404`	`+ zend_string op_str = NULL; / protect against error handlers */`
`404`	`405`
`405`	`406`	`/* For BC reasons we allow errors so that we can warn on leading numeric string */`
`406`	`407`	`type = is_numeric_string_ex(Z_STRVAL_P(op), Z_STRLEN_P(op), &lval, &dval,`
`@@ -410,6 +411,9 @@ static zend_never_inline zend_long ZEND_FASTCALL zendi_try_get_long(const zval *`
`410`	`411`	`return 0;`
`411`	`412`	`}`
`412`	`413`	`if (UNEXPECTED(trailing_data)) {`
	`414`	`+ if (type != IS_LONG) {`
	`415`	`+ op_str = zend_string_copy(Z_STR_P(op));`
	`416`	`+ }`
`413`	`417`	`zend_error(E_WARNING, "A non-numeric value encountered");`
`414`	`418`	`if (UNEXPECTED(EG(exception))) {`
`415`	`419`	`*failed = 1;`
`@@ -425,11 +429,12 @@ static zend_never_inline zend_long ZEND_FASTCALL zendi_try_get_long(const zval *`
`425`	`429`	`*/`
`426`	`430`	`lval = zend_dval_to_lval_cap(dval);`
`427`	`431`	`if (!zend_is_long_compatible(dval, lval)) {`
`428`		`- zend_incompatible_string_to_long_error(Z_STR_P(op));`
	`432`	`+ zend_incompatible_string_to_long_error(op_str ? op_str : Z_STR_P(op));`
`429`	`433`	`if (UNEXPECTED(EG(exception))) {`
`430`	`434`	`*failed = 1;`
`431`	`435`	`}`
`432`	`436`	`}`
	`437`	`+ zend_tmp_string_release(op_str);`
`433`	`438`	`return lval;`
`434`	`439`	`}`
`435`	`440`	`}`