Fix add_function_array() assertion when op2 contains op1

iluuu1994 · iluuu1994 · commit 84b4020eb4a8 · 2023-04-03T12:48:46.000+02:00
Fixes GH-10085 Closes GH-10975 Co-authored-by: Dmitry Stogov <dmitry@zend.com>
diff --git a/NEWS b/NEWS
@@ -6,6 +6,8 @@ PHP                                                                        NEWS
   . Fix inconsistent float negation in constant expressions. (ilutov)
   . Fixed bug GH-8841 (php-cli core dump calling a badly formed function).
     (nielsdos)
+  . Fixed bug GH-10085 (Assertion when adding two arrays with += where the first
+    array is contained in the second). (ilutov)
 
 - DOM:
   . Fixed bug #80602 (Segfault when using DOMChildNode::before()).
diff --git a/Zend/tests/gh10085_1.phpt b/Zend/tests/gh10085_1.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GH-10085: Assertion in add_function_array()
+--FILE--
+<?php
+$i = [[], 0];
+$ref = &$i;
+$i[0] += $ref;
+var_dump($i);
+?>
+--EXPECT--
+array(2) {
+  [0]=>
+  array(2) {
+    [0]=>
+    array(0) {
+    }
+    [1]=>
+    int(0)
+  }
+  [1]=>
+  int(0)
+}
diff --git a/Zend/tests/gh10085_2.phpt b/Zend/tests/gh10085_2.phpt
@@ -0,0 +1,25 @@
+--TEST--
+GH-10085: Assertion in add_function_array()
+--FILE--
+<?php
+$tmp = [0];
+unset($tmp[0]);
+$i = [$tmp, 0];
+unset($tmp);
+$ref = &$i;
+$i[0] += $ref;
+var_dump($i);
+?>
+--EXPECT--
+array(2) {
+  [0]=>
+  array(2) {
+    [0]=>
+    array(0) {
+    }
+    [1]=>
+    int(0)
+  }
+  [1]=>
+  int(0)
+}
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
@@ -965,16 +965,22 @@ static ZEND_COLD zend_never_inline void ZEND_FASTCALL zend_binop_error(const cha
 
 static zend_never_inline void ZEND_FASTCALL add_function_array(zval *result, zval *op1, zval *op2) /* {{{ */
 {
-	if (result == op1 && Z_ARR_P(op1) == Z_ARR_P(op2)) {
-		/* $a += $a */
-		return;
-	}
 	if (result != op1) {
 		ZVAL_ARR(result, zend_array_dup(Z_ARR_P(op1)));
+		zend_hash_merge(Z_ARRVAL_P(result), Z_ARRVAL_P(op2), zval_add_ref, 0);
+	} else if (Z_ARR_P(op1) == Z_ARR_P(op2)) {
+		/* $a += $a */
 	} else {
-		SEPARATE_ARRAY(result);
+		/* We have to duplicate op1 (even with refcount == 1) because it may be an element of op2
+		 * and therefore its reference counter may be increased by zend_hash_merge(). That leads to
+		 * an assertion in _zend_hash_add_or_update_i() that only allows adding elements to hash
+		 * tables with RC1. See GH-10085 and Zend/tests/gh10085*.phpt */
+		zval tmp;
+		ZVAL_ARR(&tmp, zend_array_dup(Z_ARR_P(op1)));
+		zend_hash_merge(Z_ARRVAL(tmp), Z_ARRVAL_P(op2), zval_add_ref, 0);
+		zval_ptr_dtor(result);
+		ZVAL_COPY_VALUE(result, &tmp);
 	}
-	zend_hash_merge(Z_ARRVAL_P(result), Z_ARRVAL_P(op2), zval_add_ref, 0);
 }
 /* }}} */
 
