Fuzzer php-fuzz-execute crashes at zend_lazy_object_init

[gal1ium]

Description

The following code:

<?php
class Test {
    public function __isset($x) { $GLOBALS["obj"] = 24; return true; }
    public function a($x) { }
}
$obj = new Test;
var_dump($obj->$name ?? 12);
?>

Resulted in this crashing call stack by the fuzzing driver php-fuzz-execute:

#6  __GI___assert_fail (assertion=0xdec74d "info", file=0xe24f2e "/src/php-src/Zend/zend_lazy_objects.c", line=110, function=0xe2576a "zend_lazy_object_info *zend_lazy_object_get_info(zend_object *)") at ./assert/assert.c:103
#7  zend_lazy_object_init () at Zend/zend_lazy_objects.c:513
#8  zend_std_read_property () at Zend/zend_object_handlers.c:954
#9   ZEND_FETCH_OBJ_IS_SPEC_CV_CV_HANDLER () at Zend/zend_vm_execute.h:52811
#10 fuzzer_execute_ex () at sapi/fuzzer/fuzzer-execute-common.h:59
#11 zend_execute () at Zend/zend_vm_execute.h:64385
#12 fuzzer_do_request_from_buffer () at sapi/fuzzer/fuzzer-sapi.c:274
#13 LLVMFuzzerTestOneInput () at sapi/fuzzer/fuzzer-execute.c:27

PHP Version

dbabbe180b157eeaac5002276667f1f56f0b4def 2025-06-10 22:35:56+0200

Operating System

Linux