Fix null pointer deref in compile_return()

Fixes oss-fuzz #24387.
2024-11-23 18:04:36 +08:00 · 2020-07-27 10:27:26 +02:00 · 2020-07-27 10:27:26 +02:00 · 08e6c20955
commit 08e6c20955
parent 3b5b288127
2 changed files with 18 additions and 4 deletions
--- a/Zend/tests/return_ref_none.phpt
+++ b/Zend/tests/return_ref_none.phpt
@ -0,0 +1,14 @@
+--TEST--
+Argument-less return from by-ref function
+--FILE--
+<?php
+
+function &test() {
+    return;
+}
+
+$ref =& test();
+
+?>
+--EXPECTF--
+Notice: Only variable references should be returned by reference in %s on line %d
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@ -4631,14 +4631,14 @@ void zend_compile_return(zend_ast *ast) /* {{{ */
 		by_ref = 0;
 	}

-	if (by_ref && zend_ast_is_short_circuited(expr_ast)) {
-		zend_error_noreturn(E_COMPILE_ERROR, "Cannot take reference of a nullsafe chain");
-	}
-
 	if (!expr_ast) {
 		expr_node.op_type = IS_CONST;
 		ZVAL_NULL(&expr_node.u.constant);
 	} else if (by_ref && zend_is_variable(expr_ast)) {
+		if (zend_ast_is_short_circuited(expr_ast)) {
+			zend_error_noreturn(E_COMPILE_ERROR, "Cannot take reference of a nullsafe chain");
+		}
+
 		zend_compile_var(&expr_node, expr_ast, BP_VAR_W, 1);
 	} else {
 		zend_compile_expr(&expr_node, expr_ast);