Fix #20875: null pointer in zend_fetch_property_address

arshidkv12 · arshidkv12 · commit 842a996a67fa · 2026-01-10T10:43:03.000+05:30
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -3624,14 +3624,20 @@ static zend_always_inline void zend_fetch_property_address(zval *result, zval *c
 			ZVAL_ERROR(result);
 			goto end;
 		}
-		if (Z_TYPE_P(ptr) == IS_NULL && Z_NEXT_P(ptr) == 0) {
-			ZVAL_NULL(result);
-			goto end;
+
+		if (EXPECTED(Z_TYPE_P(ptr) == IS_NULL)) {
+			zend_property_info *prop_info = CACHED_PTR_EX(cache_slot + 2);
+			
+			if (prop_info == NULL) {
+				ZVAL_NULL(result);
+				goto end;
+			}
 		}
 	} else if (UNEXPECTED(Z_ISERROR_P(ptr))) {
 		ZVAL_ERROR(result);
 		goto end;
 	}
+	
 	ZVAL_INDIRECT(result, ptr);
 	flags &= ZEND_FETCH_OBJ_FLAGS;
 	if (flags) {
@@ -5937,4 +5943,4 @@ ZEND_API zval *zend_get_zval_ptr(const zend_op *opline, int op_type, const znode
 			break;
 	}
 	return ret;
-}
+}
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
@@ -324,7 +324,6 @@ static zend_never_inline zval* ZEND_FASTCALL _zendi_convert_scalar_to_number_sil
 
 static zend_never_inline zend_result ZEND_FASTCALL _zendi_try_convert_scalar_to_number(zval *op, zval *holder) /* {{{ */
 {
-try_again:
 	switch (Z_TYPE_P(op)) {
 		case IS_NULL:
 		case IS_FALSE:
@@ -360,9 +359,6 @@ static zend_never_inline zend_result ZEND_FASTCALL _zendi_try_convert_scalar_to_
 		case IS_RESOURCE:
 		case IS_ARRAY:
 			return FAILURE;
-		case IS_REFERENCE:
-			op = Z_REFVAL_P(op);
-			goto try_again;
 		EMPTY_SWITCH_DEFAULT_CASE()
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -324,7 +324,6 @@ static zend_never_inline zval* ZEND_FASTCALL _zendi_convert_scalar_to_number_sil`
`324`	`324`
`325`	`325`	`static zend_never_inline zend_result ZEND_FASTCALL _zendi_try_convert_scalar_to_number(zval op, zval holder) /* {{{ */`
`326`	`326`	`{`
`327`		`-try_again:`
`328`	`327`	`switch (Z_TYPE_P(op)) {`
`329`	`328`	`case IS_NULL:`
`330`	`329`	`case IS_FALSE:`
`@@ -360,9 +359,6 @@ static zend_never_inline zend_result ZEND_FASTCALL _zendi_try_convert_scalar_to_`
`360`	`359`	`case IS_RESOURCE:`
`361`	`360`	`case IS_ARRAY:`
`362`	`361`	`return FAILURE;`
`363`		`- case IS_REFERENCE:`
`364`		`- op = Z_REFVAL_P(op);`
`365`		`- goto try_again;`
`366`	`362`	`EMPTY_SWITCH_DEFAULT_CASE()`
`367`	`363`	`}`
`368`	`364`	`}`