Fix infinite loop on string offset during by-ref list assign

nikic · nikic · commit a07c1f56aac1 · 2020-09-02T10:16:05.000+02:00
There is a deeper underlying issue here, in that the opcodes violate
VM write-fetch safety, but let's fix the infinite loop first.

This fixes oss-fuzz #25352.
diff --git a/Zend/tests/list_assign_ref_string_offset_error.phpt b/Zend/tests/list_assign_ref_string_offset_error.phpt
@@ -0,0 +1,16 @@
+--TEST--
+String offset error during list() by-ref assignment
+--FILE--
+<?php
+
+$a = [0];
+$v = 'b';
+$i = 0;
+list(&$a[$i++]) = $v;
+
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Cannot create references to/from string offsets in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -1329,6 +1329,7 @@ static zend_never_inline ZEND_COLD void zend_wrong_string_offset(EXECUTE_DATA_D)
 					msg = "Cannot create references to/from string offsets";
 					break;
 				}
+				opline++;
 			}
 			break;
 		EMPTY_SWITCH_DEFAULT_CASE();

Original file line number	Diff line number	Diff line change
`@@ -1329,6 +1329,7 @@ static zend_never_inline ZEND_COLD void zend_wrong_string_offset(EXECUTE_DATA_D)`
`1329`	`1329`	`msg = "Cannot create references to/from string offsets";`
`1330`	`1330`	`break;`
`1331`	`1331`	`}`
	`1332`	`+ opline++;`
`1332`	`1333`	`}`
`1333`	`1334`	`break;`
`1334`	`1335`	`EMPTY_SWITCH_DEFAULT_CASE();`