[php-src] master: Fix OSS-Fuzz #416302790 (#18537)

From: Date: Mon, 12 May 2025 16:55:57 +0000
Subject: [php-src] master: Fix OSS-Fuzz #416302790 (#18537)
Groups: php.cvs 
Request: Send a blank email to [email protected] to get a copy of this message 
Author: Niels Dossche (nielsdos)
Committer: GitHub (web-flow)
Pusher: nielsdos
Date: 2025-05-12T18:45:01+02:00

Commit: https://github.com/php/php-src/commit/ba4567a987aac3f349f548785854b5a62ffeb6ec
Raw diff: https://github.com/php/php-src/commit/ba4567a987aac3f349f548785854b5a62ffeb6ec.diff

Fix OSS-Fuzz #416302790 (#18537)

The parser accepted invalid code: consts are only valid at the top
level, but because GH-16952 changed the grammar it was incorrectly
allowed at all places that allowed attributed statements.
Fix this by introducing a variant of attributed_statement for the top
level.

Changed paths:
  A  Zend/tests/constants/oss_fuzz_416302790.phpt
  M  Zend/zend_language_parser.y


Diff:

diff --git a/Zend/tests/constants/oss_fuzz_416302790.phpt
b/Zend/tests/constants/oss_fuzz_416302790.phpt
new file mode 100644
index 0000000000000..7ace0a72867da
--- /dev/null
+++ b/Zend/tests/constants/oss_fuzz_416302790.phpt
@@ -0,0 +1,10 @@
+--TEST--
+OSS-Fuzz #416302790
+--FILE--
+<?php
+function x(){
+    #[Attr] const X = 1;
+}
+?>
+--EXPECTF--
+Parse error: syntax error, unexpected token "const" in %s on line %d
diff --git a/Zend/zend_language_parser.y b/Zend/zend_language_parser.y
index 0c5bb36501e72..08b2ac6b3f39b 100644
--- a/Zend/zend_language_parser.y
+++ b/Zend/zend_language_parser.y
@@ -279,7 +279,7 @@ static YYSIZE_T zend_yytnamerr(char*, const char*);
 %type <ast> isset_variable type return_type type_expr type_without_static
 %type <ast> identifier type_expr_without_static union_type_without_static_element
union_type_without_static intersection_type_without_static
 %type <ast> inline_function union_type_element union_type intersection_type
-%type <ast> attributed_statement attributed_class_statement attributed_parameter
+%type <ast> attributed_statement attributed_top_statement attributed_class_statement
attributed_parameter
 %type <ast> attribute_decl attribute attributes attribute_group namespace_declaration_name
 %type <ast> match match_arm_list non_empty_match_arm_list match_arm match_arm_cond_list
 %type <ast> enum_declaration_statement enum_backing_type enum_case enum_case_expr
@@ -391,13 +391,17 @@ attributed_statement:
 	|	trait_declaration_statement			{ $$ = $1; }
 	|	interface_declaration_statement		{ $$ = $1; }
 	|	enum_declaration_statement			{ $$ = $1; }
+;
+
+attributed_top_statement:
+		attributed_statement				{ $$ = $1; }
 	|	T_CONST const_list ';'				{ $$ = $2; }
 ;
 
 top_statement:
 		statement							{ $$ = $1; }
-	|	attributed_statement					{ $$ = $1; }
-	|	attributes attributed_statement		{ $$ = zend_ast_with_attributes($2, $1); }
+	|	attributed_top_statement			{ $$ = $1; }
+	|	attributes attributed_top_statement	{ $$ = zend_ast_with_attributes($2, $1); }
 	|	T_HALT_COMPILER '(' ')' ';'
 			{ $$ = zend_ast_create(ZEND_AST_HALT_COMPILER,
 			      zend_ast_create_zval_from_long(zend_get_scanned_file_offset()));

Thread (1 message)

  • Niels Dossche via GitHub
« previous php.cvs (#134118) next »