Merge branch 'PHP-8.4'

nielsdos · nielsdos · commit d706dc1f8062 · 2025-07-01T18:52:44.000+02:00
* PHP-8.4:
  Fix OSS-Fuzz #427814456
diff --git a/Zend/tests/numeric_strings/oss_fuzz_427814456.phpt b/Zend/tests/numeric_strings/oss_fuzz_427814456.phpt
@@ -0,0 +1,11 @@
+--TEST--
+OSS-Fuzz #427814456
+--FILE--
+<?php
+set_error_handler(function(){unset($GLOBALS['x']);});
+$x = str_repeat("3e33", random_int(2, 2));
+$x & true;
+echo "Done\n";
+?>
+--EXPECT--
+Done
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
@@ -402,6 +402,7 @@ static zend_never_inline zend_long ZEND_FASTCALL zendi_try_get_long(const zval *
 				zend_long lval;
 				double dval;
 				bool trailing_data = false;
+				zend_string *op_str = NULL; /* protect against error handlers */
 
 				/* For BC reasons we allow errors so that we can warn on leading numeric string */
 				type = is_numeric_string_ex(Z_STRVAL_P(op), Z_STRLEN_P(op), &lval, &dval,
@@ -411,6 +412,9 @@ static zend_never_inline zend_long ZEND_FASTCALL zendi_try_get_long(const zval *
 					return 0;
 				}
 				if (UNEXPECTED(trailing_data)) {
+					if (type != IS_LONG) {
+						op_str = zend_string_copy(Z_STR_P(op));
+					}
 					zend_error(E_WARNING, "A non-numeric value encountered");
 					if (UNEXPECTED(EG(exception))) {
 						*failed = 1;
@@ -426,11 +430,12 @@ static zend_never_inline zend_long ZEND_FASTCALL zendi_try_get_long(const zval *
 					 */
 					lval = zend_dval_to_lval_cap(dval);
 					if (!zend_is_long_compatible(dval, lval)) {
-						zend_incompatible_string_to_long_error(Z_STR_P(op));
+						zend_incompatible_string_to_long_error(op_str ? op_str : Z_STR_P(op));
 						if (UNEXPECTED(EG(exception))) {
 							*failed = 1;
 						}
 					}
+					zend_tmp_string_release(op_str);
 					return lval;
 				}
 			}

Original file line number	Diff line number	Diff line change
`@@ -402,6 +402,7 @@ static zend_never_inline zend_long ZEND_FASTCALL zendi_try_get_long(const zval *`
`402`	`402`	`zend_long lval;`
`403`	`403`	`double dval;`
`404`	`404`	`bool trailing_data = false;`
	`405`	`+ zend_string op_str = NULL; / protect against error handlers */`
`405`	`406`
`406`	`407`	`/* For BC reasons we allow errors so that we can warn on leading numeric string */`
`407`	`408`	`type = is_numeric_string_ex(Z_STRVAL_P(op), Z_STRLEN_P(op), &lval, &dval,`
`@@ -411,6 +412,9 @@ static zend_never_inline zend_long ZEND_FASTCALL zendi_try_get_long(const zval *`
`411`	`412`	`return 0;`
`412`	`413`	`}`
`413`	`414`	`if (UNEXPECTED(trailing_data)) {`
	`415`	`+ if (type != IS_LONG) {`
	`416`	`+ op_str = zend_string_copy(Z_STR_P(op));`
	`417`	`+ }`
`414`	`418`	`zend_error(E_WARNING, "A non-numeric value encountered");`
`415`	`419`	`if (UNEXPECTED(EG(exception))) {`
`416`	`420`	`*failed = 1;`
`@@ -426,11 +430,12 @@ static zend_never_inline zend_long ZEND_FASTCALL zendi_try_get_long(const zval *`
`426`	`430`	`*/`
`427`	`431`	`lval = zend_dval_to_lval_cap(dval);`
`428`	`432`	`if (!zend_is_long_compatible(dval, lval)) {`
`429`		`- zend_incompatible_string_to_long_error(Z_STR_P(op));`
	`433`	`+ zend_incompatible_string_to_long_error(op_str ? op_str : Z_STR_P(op));`
`430`	`434`	`if (UNEXPECTED(EG(exception))) {`
`431`	`435`	`*failed = 1;`
`432`	`436`	`}`
`433`	`437`	`}`
	`438`	`+ zend_tmp_string_release(op_str);`
`434`	`439`	`return lval;`
`435`	`440`	`}`
`436`	`441`	`}`