Skip to content

Fix by-ref assignment on uninitialized hooked backing value #20943

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
iluuu1994 wants to merge 1 commit into from
Closed

Fix by-ref assignment on uninitialized hooked backing value #20943

iluuu1994 wants to merge 1 commit into from
+58 −1

Conversation

@iluuu1994
Copy link
Member

@iluuu1994 iluuu1994 commented Jan 15, 2026

Within hooks, the backing value can directly be accessed as if no hooks were present. This was previously handled only in read_property().

zend_fetch_property_address(), which is used for by-ref assignment, will first call get_property_ptr_ptr() and then try read_property(). However, when called on uninitialized backing values, read_property() will return &EG(uninitialized_zval) with an uninitialized property warning. This is problematic for zend_fetch_property_address() because it write to the result of read_property() unless there's an exception.

For untyped properties, this can result in writes to &EG(uninitialized_zval) (see oss-fuzz-471486164-001.phpt). For types properties, it will result in an unexpected "Typed property C::$prop must not be accessed before initialization" exception.

Fixes OSS-Fuzz #471486164

@iluuu1994
Fix by-ref assignment on uninitialized hooked backing value
ab54cb2 
Within hooks, the backing value can directly be accessed as if no hooks were
present. This was previously handled only in read_property().

zend_fetch_property_address(), which is used for by-ref assignment, will first
call get_property_ptr_ptr() and then try read_property(). However, when called
on uninitialized backing values, read_property() will return
&EG(uninitialized_zval) with an uninitialized property warning. This is
problematic for zend_fetch_property_address() because it write to the result of
read_property() unless there's an exception.

For untyped properties, this can result in writes to &EG(uninitialized_zval)
(see oss-fuzz-471486164-001.phpt). For types properties, it will result in an
unexpected "Typed property C::$prop must not be accessed before initialization"
exception.

Fixes OSS-Fuzz #471486164
@iluuu1994 iluuu1994 requested a review from arnaud-lb January 15, 2026 14:18
@iluuu1994 iluuu1994 requested a review from dstogov as a code owner January 15, 2026 14:18
arnaud-lb
arnaud-lb approved these changes Jan 15, 2026
View reviewed changes
Copy link
Member

@arnaud-lb arnaud-lb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me!

@iluuu1994 iluuu1994 closed this in 0efecbc Jan 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arnaud-lb arnaud-lb arnaud-lb approved these changes

@dstogov dstogov Awaiting requested review from dstogov dstogov is a code owner

Assignees

No one assigned

Labels

Category: Engine

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@iluuu1994 @arnaud-lb