Make sure fetch_property_type_info is only used with valid offset

nikic · nikic · commit ee5ffbbe2c1a · 2019-01-09T16:47:33.000+01:00
It's not relevant in any other case and might be wrong wrt cache
state I think.
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -742,7 +742,8 @@ ZEND_API zval *zend_std_read_property(zval *object, zval *member, int type, void
 			}
 
 			if (UNEXPECTED(ZEND_CLASS_HAS_TYPE_HINTS(zobj->ce) &&
-				(prop_info = zend_object_fetch_property_type_info(Z_OBJCE_P(object), name, IS_VALID_PROPERTY_OFFSET(property_offset) ? cache_slot : NULL)))) {
+				IS_VALID_PROPERTY_OFFSET(property_offset) &&
+				(prop_info = zend_object_fetch_property_type_info(Z_OBJCE_P(object), name, cache_slot)))) {
 				zend_verify_prop_assignable_by_ref(prop_info, retval, (zobj->ce->__get->common.fn_flags & ZEND_ACC_STRICT_TYPES) != 0);
 			}
 
@@ -757,8 +758,9 @@ ZEND_API zval *zend_std_read_property(zval *object, zval *member, int type, void
 		}
 	}
 
-	if ((type != BP_VAR_IS)) {
-		if (UNEXPECTED(prop_info = zend_object_fetch_property_type_info(Z_OBJCE_P(object), name, cache_slot))) {
+	if (type != BP_VAR_IS) {
+		if (IS_VALID_PROPERTY_OFFSET(property_offset) &&
+			(prop_info = zend_object_fetch_property_type_info(Z_OBJCE_P(object), name, cache_slot))) {
 			zend_throw_error(NULL, "Typed property %s::$%s must not be accessed before initialization",
 				ZSTR_VAL(prop_info->ce->name),
 				ZSTR_VAL(name));

Original file line number	Diff line number	Diff line change
`@@ -742,7 +742,8 @@ ZEND_API zval zend_std_read_property(zval object, zval *member, int type, void`
`742`	`742`	`}`
`743`	`743`
`744`	`744`	`if (UNEXPECTED(ZEND_CLASS_HAS_TYPE_HINTS(zobj->ce) &&`
`745`		`- (prop_info = zend_object_fetch_property_type_info(Z_OBJCE_P(object), name, IS_VALID_PROPERTY_OFFSET(property_offset) ? cache_slot : NULL)))) {`
	`745`	`+ IS_VALID_PROPERTY_OFFSET(property_offset) &&`
	`746`	`+ (prop_info = zend_object_fetch_property_type_info(Z_OBJCE_P(object), name, cache_slot)))) {`
`746`	`747`	`zend_verify_prop_assignable_by_ref(prop_info, retval, (zobj->ce->__get->common.fn_flags & ZEND_ACC_STRICT_TYPES) != 0);`
`747`	`748`	`}`
`748`	`749`
`@@ -757,8 +758,9 @@ ZEND_API zval zend_std_read_property(zval object, zval *member, int type, void`
`757`	`758`	`}`
`758`	`759`	`}`
`759`	`760`
`760`		`- if ((type != BP_VAR_IS)) {`
`761`		`- if (UNEXPECTED(prop_info = zend_object_fetch_property_type_info(Z_OBJCE_P(object), name, cache_slot))) {`
	`761`	`+ if (type != BP_VAR_IS) {`
	`762`	`+ if (IS_VALID_PROPERTY_OFFSET(property_offset) &&`
	`763`	`+ (prop_info = zend_object_fetch_property_type_info(Z_OBJCE_P(object), name, cache_slot))) {`
`762`	`764`	`zend_throw_error(NULL, "Typed property %s::$%s must not be accessed before initialization",`
`763`	`765`	`ZSTR_VAL(prop_info->ce->name),`
`764`	`766`	`ZSTR_VAL(name));`