Commit 26c0cbd93cb for php.net
commit 26c0cbd93cb4f2501a9d07144c8b46ae5c91b9e6
Author: Ilija Tovilo <ilija.tovilo@me.com>
Date: Fri Dec 5 19:32:40 2025 +0100
Fix dumping function signature with dynamic class const lookup default argument
Fixes OSS-Fuzz #465488618
Closes GH-20651
diff --git a/NEWS b/NEWS
index 472f57a38f6..b4a15b3ddd8 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 8.3.30
+- Core:
+ . Fix OSS-Fuzz #465488618 (Wrong assumptions when dumping function signature
+ with dynamic class const lookup default argument). (ilutov)
+
- Bz2:
. Fixed bug GH-20620 (bzcompress overflow on large source size).
(David Carlier)
diff --git a/Zend/tests/oss-fuzz-465488618.phpt b/Zend/tests/oss-fuzz-465488618.phpt
new file mode 100644
index 00000000000..517c481b33e
--- /dev/null
+++ b/Zend/tests/oss-fuzz-465488618.phpt
@@ -0,0 +1,16 @@
+--TEST--
+OSS-Fuzz #465488618: Dump function signature with dynamic class const lookup default argument
+--FILE--
+<?php
+
+class A {
+ public function test(int $x) {}
+}
+
+class B extends A {
+ public function test(string $x = Foo::{C}) {}
+}
+
+?>
+--EXPECTF--
+Fatal error: Declaration of B::test(string $x = <expression>) must be compatible with A::test(int $x) in %s on line %d
diff --git a/Zend/zend_inheritance.c b/Zend/zend_inheritance.c
index 5ba883addca..a89114b80de 100644
--- a/Zend/zend_inheritance.c
+++ b/Zend/zend_inheritance.c
@@ -973,7 +973,9 @@ static ZEND_COLD zend_string *zend_get_function_declaration(
zend_ast *ast = Z_ASTVAL_P(zv);
if (ast->kind == ZEND_AST_CONSTANT) {
smart_str_append(&str, zend_ast_get_constant_name(ast));
- } else if (ast->kind == ZEND_AST_CLASS_CONST) {
+ } else if (ast->kind == ZEND_AST_CLASS_CONST
+ && ast->child[1]->kind == ZEND_AST_ZVAL
+ && Z_TYPE_P(zend_ast_get_zval(ast->child[1])) == IS_STRING) {
smart_str_append(&str, zend_ast_get_str(ast->child[0]));
smart_str_appends(&str, "::");
smart_str_append(&str, zend_ast_get_str(ast->child[1]));