Fixed oss-fuzz #62294: Unsetting variable after ++/-- on string variable warning

Girgias · Girgias · commit 0b614a6c2b4b · 2023-09-17T15:49:46.000+01:00
Closes GH-12202
diff --git a/NEWS b/NEWS
@@ -5,6 +5,8 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug GH-12189 (#[Override] attribute in trait does not check for
     parent class implementations). (timwolla)
+  . Fixed OSS Fuzz #62294 (Unsetting variable after ++/-- on string variable
+    warning). (Girgias)
 
 - Filter:
   . Fix explicit FILTER_REQUIRE_SCALAR with FILTER_CALLBACK (ilutov)
diff --git a/Zend/tests/in-de-crement/oss-fuzz-60709_globals_unset_after_undef_warning.phpt b/Zend/tests/in-de-crement/oss-fuzz-60709_globals_unset_after_undef_warning.phpt
@@ -1,5 +1,5 @@
 --TEST--
-oss-fuzz #60709: Test
+oss-fuzz #60709: Unsetting variable after undefined variable warning in ++/--
 --FILE--
 <?php
 set_error_handler(function($_, $m) {
diff --git a/Zend/tests/in-de-crement/oss-fuzz-62294_globals_unset_after_string_warning.phpt b/Zend/tests/in-de-crement/oss-fuzz-62294_globals_unset_after_string_warning.phpt
@@ -0,0 +1,38 @@
+--TEST--
+oss-fuzz #62294: Unsetting variable after ++/-- on string variable warning
+--FILE--
+<?php
+set_error_handler(function($_, $m) {
+    echo "$m\n";
+    unset($GLOBALS['x']);
+});
+
+$x=" ";
+echo "POST DEC\n";
+var_dump($x--);
+
+$x=" ";
+echo "PRE DEC\n";
+var_dump(--$x);
+
+$x=" ";
+echo "POST INC\n";
+var_dump($x++);
+
+$x=" ";
+echo "PRE INC\n";
+var_dump(++$x);
+?>
+--EXPECT--
+POST DEC
+Decrement on non-numeric string has no effect and is deprecated
+string(1) " "
+PRE DEC
+Decrement on non-numeric string has no effect and is deprecated
+string(1) " "
+POST INC
+Increment on non-alphanumeric string is deprecated
+string(1) " "
+PRE INC
+Increment on non-alphanumeric string is deprecated
+string(1) " "
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
@@ -2528,13 +2528,10 @@ static bool ZEND_FASTCALL increment_string(zval *str) /* {{{ */
 
 	if (UNEXPECTED(!zend_string_only_has_ascii_alphanumeric(Z_STR_P(str)))) {
 		zend_string *zstr = Z_STR_P(str);
-		GC_TRY_ADDREF(zstr);
+		zend_string_addref(zstr);
 		zend_error(E_DEPRECATED, "Increment on non-alphanumeric string is deprecated");
 		if (EG(exception)) {
-			GC_TRY_DELREF(zstr);
-			if (!GC_REFCOUNT(zstr)) {
-				efree(zstr);
-			}
+			zend_string_release(zstr);
 			return false;
 		}
 		zval_ptr_dtor(str);
@@ -2737,11 +2734,18 @@ ZEND_API zend_result ZEND_FASTCALL decrement_function(zval *op1) /* {{{ */
 					zval_ptr_dtor_str(op1);
 					ZVAL_DOUBLE(op1, dval - 1);
 					break;
-				default:
+				default: {
+					/* Error handler can unset the variable */
+					zend_string *zstr = Z_STR_P(op1);
+					zend_string_addref(zstr);
 					zend_error(E_DEPRECATED, "Decrement on non-numeric string has no effect and is deprecated");
 					if (EG(exception)) {
+						zend_string_release(zstr);
 						return FAILURE;
 					}
+					zval_ptr_dtor(op1);
+					ZVAL_STR(op1, zstr);
+				}
 			}
 			break;
 		case IS_NULL: {
