Fuzzer php-fuzz-execute crashes at zend_lazy_object_init #18845
Description
Description
The following code:
<?php
class Test {
public function __isset($x) { $GLOBALS["obj"] = 24; return true; }
public function a($x) { }
}
$obj = new Test;
var_dump($obj->$name ?? 12);
?>Resulted in this crashing call stack by the fuzzing driver php-fuzz-execute:
#6 __GI___assert_fail (assertion=0xdec74d "info", file=0xe24f2e "/src/php-src/Zend/zend_lazy_objects.c", line=110, function=0xe2576a "zend_lazy_object_info *zend_lazy_object_get_info(zend_object *)") at ./assert/assert.c:103
#7 zend_lazy_object_init () at Zend/zend_lazy_objects.c:513
#8 zend_std_read_property () at Zend/zend_object_handlers.c:954
#9 ZEND_FETCH_OBJ_IS_SPEC_CV_CV_HANDLER () at Zend/zend_vm_execute.h:52811
#10 fuzzer_execute_ex () at sapi/fuzzer/fuzzer-execute-common.h:59
#11 zend_execute () at Zend/zend_vm_execute.h:64385
#12 fuzzer_do_request_from_buffer () at sapi/fuzzer/fuzzer-sapi.c:274
#13 LLVMFuzzerTestOneInput () at sapi/fuzzer/fuzzer-execute.c:27
PHP Version
dbabbe180b157eeaac5002276667f1f56f0b4def 2025-06-10 22:35:56+0200
Operating System
Linux
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Participants
Activity
Fix use-after-free of object through __isset() and globals
Fix use-after-free of object through __isset() and globals
Fix use-after-free of object through __isset() and globals