!75 【openEuler-22.03-LTS-Next】Fix bugs found by oss-fuzz

Merge pull request !75 from yixiangzhike/openEuler-22.03-LTS-Next
2021-12-20 06:13:01 +00:00 · 2021-12-20 06:13:01 +00:00 · f8c038323b
commit f8c038323b
parent 30a45f4c79 a6471e67f6
7 changed files with 1083 additions and 1 deletions
--- a/backport-Bail-on-exception-during-delayed-autoload.patch
+++ b/backport-Bail-on-exception-during-delayed-autoload.patch
@ -0,0 +1,71 @@
+From be8217368b85ab078905e17a732965053f3443d6 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Thu, 23 Sep 2021 12:44:51 +0200
+Subject: [PATCH] Bail on exception during delayed autoload
+
+We shouldn't try to load further classes if one autoload throws.
+
+This fixes oss-fuzz #38881, though I believe there are still two
+deeper issues here: 1) Why do we allow autoloading with an active
+exception? 2) Exception save & restore should probably also save
+and restore the exception opline.
+---
+ Zend/tests/exception_during_variance_autoload.phpt | 31 ++++++++++++++++++++++
+ Zend/zend_inheritance.c                            |  3 +++
+ 2 files changed, 34 insertions(+)
+ create mode 100644 Zend/tests/exception_during_variance_autoload.phpt
+
+diff --git a/Zend/tests/exception_during_variance_autoload.phpt b/Zend/tests/exception_during_variance_autoload.phpt
+new file mode 100644
+index 0000000..995931d
+--- /dev/null
+++ b/Zend/tests/exception_during_variance_autoload.phpt
+@@ -0,0 +1,31 @@
+--TEST--
+Exception during delayed variance autoload
+--FILE--
+<?php
+spl_autoload_register(function($class) {
+    echo "$class\n";
+    if ($class == 'X') {
+        new Y;
+    }
+    if ($class == 'Y') {
+        new Q;
+    }
+});
+class A {
+    function method(): X {}
+}
+class B extends A {
+    function method(): Y {}
+}
+?>
+--EXPECTF--
+Y
+Q
+
+Warning: Uncaught Error: Class "Q" not found in %s:%d
+Stack trace:
+#0 %s(%d): {closure}('Y')
+#1 {main}
+  thrown in %s on line %d
+
+Fatal error: Could not check compatibility between B::method(): Y and A::method(): X, because class Y is not available in %s on line %d
+diff --git a/Zend/zend_inheritance.c b/Zend/zend_inheritance.c
+index b00c5e5..33869d6 100644
+--- a/Zend/zend_inheritance.c
+++ b/Zend/zend_inheritance.c
+@@ -2348,6 +2348,9 @@ static void load_delayed_classes() {
+ 
+ 	ZEND_HASH_FOREACH_STR_KEY(delayed_autoloads, name) {
+ 		zend_lookup_class(name);
+		if (EG(exception)) {
+			break;
+		}
+ 	} ZEND_HASH_FOREACH_END();
+ 
+ 	zend_hash_destroy(delayed_autoloads);
+-- 
+1.8.3.1
+
--- a/backport-Fix-ASSIGN_DIM-to-NEXT-with-rc-1-reference-value.patch
+++ b/backport-Fix-ASSIGN_DIM-to-NEXT-with-rc-1-reference-value.patch
@ -0,0 +1,710 @@
+From 6d5ae6496c6d1b7a563a0b189d868dd7089be395 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Tue, 3 Aug 2021 10:19:23 +0200
+Subject: [PATCH] Fix ASSIGN_DIM to NEXT with rc=1 reference value
+
+The reference wrapper was destroyed while value still pointed into
+it and was later used to assign the ASSIGN_DIM return value. This
+could be fixed either by moving the return value assignment earlier,
+or by working with the value that has been stored in the array.
+I'm going with the latter here, because that matches what the
+non-NEXT codepath does via assign_to_variable more closely.
+
+Fixes oss-fuzz #36807.
+---
+ Zend/tests/assign_dim_ref_free.phpt |  13 +++
+ Zend/zend_vm_def.h                  |   6 +-
+ Zend/zend_vm_execute.h              | 192 ++++++++++++++++++------------------
+ 3 files changed, 112 insertions(+), 99 deletions(-)
+ create mode 100644 Zend/tests/assign_dim_ref_free.phpt
+
+diff --git a/Zend/tests/assign_dim_ref_free.phpt b/Zend/tests/assign_dim_ref_free.phpt
+new file mode 100644
+index 0000000..ecea75c
+--- /dev/null
+++ b/Zend/tests/assign_dim_ref_free.phpt
+@@ -0,0 +1,13 @@
+--TEST--
+Assigning rc=1 reference to next dim
+--FILE--
+<?php
+var_dump($ary[] = [&$x] = $x);
+var_dump($x);
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  &NULL
+}
+NULL
+diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
+index fa70e04..2b9fe5b 100644
+--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
+@@ -2527,8 +2527,8 @@ ZEND_VM_C_LABEL(try_assign_dim_array):
+ 			if (OP_DATA_TYPE == IS_CV || OP_DATA_TYPE == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				ZEND_VM_C_GOTO(assign_dim_error);
+ 			} else if (OP_DATA_TYPE == IS_CV) {
+@@ -2537,7 +2537,7 @@ ZEND_VM_C_LABEL(try_assign_dim_array):
+ 				}
+ 			} else if (OP_DATA_TYPE == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
+index 8e2cd21..a18ee13 100644
+--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
+@@ -23288,8 +23288,8 @@ try_assign_dim_array:
+ 			if (IS_CONST == IS_CV || IS_CONST == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_CONST == IS_CV) {
+@@ -23298,7 +23298,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_CONST == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -23404,8 +23404,8 @@ try_assign_dim_array:
+ 			if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_TMP_VAR == IS_CV) {
+@@ -23414,7 +23414,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_TMP_VAR == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -23521,8 +23521,8 @@ try_assign_dim_array:
+ 			if (IS_VAR == IS_CV || IS_VAR == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_VAR == IS_CV) {
+@@ -23531,7 +23531,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_VAR == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -23638,8 +23638,8 @@ try_assign_dim_array:
+ 			if (IS_CV == IS_CV || IS_CV == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_CV == IS_CV) {
+@@ -23648,7 +23648,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_CV == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -25846,8 +25846,8 @@ try_assign_dim_array:
+ 			if (IS_CONST == IS_CV || IS_CONST == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_CONST == IS_CV) {
+@@ -25856,7 +25856,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_CONST == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -25962,8 +25962,8 @@ try_assign_dim_array:
+ 			if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_TMP_VAR == IS_CV) {
+@@ -25972,7 +25972,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_TMP_VAR == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -26079,8 +26079,8 @@ try_assign_dim_array:
+ 			if (IS_VAR == IS_CV || IS_VAR == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_VAR == IS_CV) {
+@@ -26089,7 +26089,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_VAR == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -26196,8 +26196,8 @@ try_assign_dim_array:
+ 			if (IS_CV == IS_CV || IS_CV == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_CV == IS_CV) {
+@@ -26206,7 +26206,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_CV == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -27236,8 +27236,8 @@ try_assign_dim_array:
+ 			if (IS_CONST == IS_CV || IS_CONST == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_CONST == IS_CV) {
+@@ -27246,7 +27246,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_CONST == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -27352,8 +27352,8 @@ try_assign_dim_array:
+ 			if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_TMP_VAR == IS_CV) {
+@@ -27362,7 +27362,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_TMP_VAR == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -27469,8 +27469,8 @@ try_assign_dim_array:
+ 			if (IS_VAR == IS_CV || IS_VAR == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_VAR == IS_CV) {
+@@ -27479,7 +27479,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_VAR == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -27586,8 +27586,8 @@ try_assign_dim_array:
+ 			if (IS_CV == IS_CV || IS_CV == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_CV == IS_CV) {
+@@ -27596,7 +27596,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_CV == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -29771,8 +29771,8 @@ try_assign_dim_array:
+ 			if (IS_CONST == IS_CV || IS_CONST == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_CONST == IS_CV) {
+@@ -29781,7 +29781,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_CONST == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -29887,8 +29887,8 @@ try_assign_dim_array:
+ 			if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_TMP_VAR == IS_CV) {
+@@ -29897,7 +29897,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_TMP_VAR == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -30004,8 +30004,8 @@ try_assign_dim_array:
+ 			if (IS_VAR == IS_CV || IS_VAR == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_VAR == IS_CV) {
+@@ -30014,7 +30014,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_VAR == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -30121,8 +30121,8 @@ try_assign_dim_array:
+ 			if (IS_CV == IS_CV || IS_CV == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_CV == IS_CV) {
+@@ -30131,7 +30131,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_CV == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -40635,8 +40635,8 @@ try_assign_dim_array:
+ 			if (IS_CONST == IS_CV || IS_CONST == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_CONST == IS_CV) {
+@@ -40645,7 +40645,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_CONST == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -40751,8 +40751,8 @@ try_assign_dim_array:
+ 			if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_TMP_VAR == IS_CV) {
+@@ -40761,7 +40761,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_TMP_VAR == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -40868,8 +40868,8 @@ try_assign_dim_array:
+ 			if (IS_VAR == IS_CV || IS_VAR == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_VAR == IS_CV) {
+@@ -40878,7 +40878,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_VAR == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -40985,8 +40985,8 @@ try_assign_dim_array:
+ 			if (IS_CV == IS_CV || IS_CV == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_CV == IS_CV) {
+@@ -40995,7 +40995,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_CV == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -44263,8 +44263,8 @@ try_assign_dim_array:
+ 			if (IS_CONST == IS_CV || IS_CONST == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_CONST == IS_CV) {
+@@ -44273,7 +44273,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_CONST == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -44379,8 +44379,8 @@ try_assign_dim_array:
+ 			if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_TMP_VAR == IS_CV) {
+@@ -44389,7 +44389,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_TMP_VAR == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -44496,8 +44496,8 @@ try_assign_dim_array:
+ 			if (IS_VAR == IS_CV || IS_VAR == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_VAR == IS_CV) {
+@@ -44506,7 +44506,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_VAR == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -44613,8 +44613,8 @@ try_assign_dim_array:
+ 			if (IS_CV == IS_CV || IS_CV == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_CV == IS_CV) {
+@@ -44623,7 +44623,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_CV == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -46098,8 +46098,8 @@ try_assign_dim_array:
+ 			if (IS_CONST == IS_CV || IS_CONST == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_CONST == IS_CV) {
+@@ -46108,7 +46108,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_CONST == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -46214,8 +46214,8 @@ try_assign_dim_array:
+ 			if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_TMP_VAR == IS_CV) {
+@@ -46224,7 +46224,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_TMP_VAR == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -46331,8 +46331,8 @@ try_assign_dim_array:
+ 			if (IS_VAR == IS_CV || IS_VAR == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_VAR == IS_CV) {
+@@ -46341,7 +46341,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_VAR == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -46448,8 +46448,8 @@ try_assign_dim_array:
+ 			if (IS_CV == IS_CV || IS_CV == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_CV == IS_CV) {
+@@ -46458,7 +46458,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_CV == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -49291,8 +49291,8 @@ try_assign_dim_array:
+ 			if (IS_CONST == IS_CV || IS_CONST == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_CONST == IS_CV) {
+@@ -49301,7 +49301,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_CONST == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -49407,8 +49407,8 @@ try_assign_dim_array:
+ 			if (IS_TMP_VAR == IS_CV || IS_TMP_VAR == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_TMP_VAR == IS_CV) {
+@@ -49417,7 +49417,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_TMP_VAR == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -49524,8 +49524,8 @@ try_assign_dim_array:
+ 			if (IS_VAR == IS_CV || IS_VAR == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_VAR == IS_CV) {
+@@ -49534,7 +49534,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_VAR == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+@@ -49641,8 +49641,8 @@ try_assign_dim_array:
+ 			if (IS_CV == IS_CV || IS_CV == IS_VAR) {
+ 				ZVAL_DEREF(value);
+ 			}
+-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
+ 				zend_cannot_add_element();
+ 				goto assign_dim_error;
+ 			} else if (IS_CV == IS_CV) {
+@@ -49651,7 +49651,7 @@ try_assign_dim_array:
+ 				}
+ 			} else if (IS_CV == IS_VAR) {
+ 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
+-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
+ 					if (Z_REFCOUNTED_P(value)) {
+ 						Z_ADDREF_P(value);
+ 					}
+-- 
+1.8.3.1
+
--- a/backport-Fix-return-by-ref-from-array_reduce-callback.patch
+++ b/backport-Fix-return-by-ref-from-array_reduce-callback.patch
@ -0,0 +1,46 @@
+From f40c8fdf672923fd585023574e954b79b85b8777 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Thu, 15 Apr 2021 12:32:05 +0200
+Subject: [PATCH] Fix return-by-ref from array_reduce callback
+
+Fixes oss-fuzz #32990.
+---
+ ext/standard/array.c                                     |  3 +++
+ ext/standard/tests/array/array_reduce_return_by_ref.phpt | 11 +++++++++++
+ 2 files changed, 14 insertions(+)
+ create mode 100644 ext/standard/tests/array/array_reduce_return_by_ref.phpt
+
+diff --git a/ext/standard/array.c b/ext/standard/array.c
+index 3967d83..4556cfe 100644
+--- a/ext/standard/array.c
+++ b/ext/standard/array.c
+@@ -5877,6 +5877,9 @@ PHP_FUNCTION(array_reduce)
+ 			zval_ptr_dtor(&args[1]);
+ 			zval_ptr_dtor(&args[0]);
+ 			ZVAL_COPY_VALUE(return_value, &retval);
+			if (UNEXPECTED(Z_ISREF_P(return_value))) {
+				zend_unwrap_reference(return_value);
+			}
+ 		} else {
+ 			zval_ptr_dtor(&args[1]);
+ 			zval_ptr_dtor(&args[0]);
+diff --git a/ext/standard/tests/array/array_reduce_return_by_ref.phpt b/ext/standard/tests/array/array_reduce_return_by_ref.phpt
+new file mode 100644
+index 0000000..8da7018
+--- /dev/null
+++ b/ext/standard/tests/array/array_reduce_return_by_ref.phpt
+@@ -0,0 +1,11 @@
+--TEST--
+Return by reference from array_reduce() callback
+--FILE--
+<?php
+$array = [1, 2];
+var_dump(array_reduce($array, function &($a, $b) {
+    return $b;
+}, 0));
+?>
+--EXPECT--
+int(2)
+-- 
+1.8.3.1
+
--- a/backport-Handle-ref-return-from-Iterator-key.patch
+++ b/backport-Handle-ref-return-from-Iterator-key.patch
@ -0,0 +1,53 @@
+From 46f9fed0d8e4ca5264abd2da94105925024ede14 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Thu, 15 Apr 2021 13:04:47 +0200
+Subject: [PATCH] Handle ref return from Iterator::key()
+
+Handle this in the implementation of get_current_key of user_it,
+so that the callers may assume that the key is not a reference.
+
+Fixes oss-fuzz #33018.
+---
+ Zend/tests/iterator_key_by_ref.phpt | 15 +++++++++++++++
+ Zend/zend_interfaces.c              |  3 +++
+ 2 files changed, 18 insertions(+)
+ create mode 100644 Zend/tests/iterator_key_by_ref.phpt
+
+diff --git a/Zend/tests/iterator_key_by_ref.phpt b/Zend/tests/iterator_key_by_ref.phpt
+new file mode 100644
+index 0000000..3bd2bcf
+--- /dev/null
+++ b/Zend/tests/iterator_key_by_ref.phpt
+@@ -0,0 +1,15 @@
+--TEST--
+Iterator::key() with by-ref return
+--FILE--
+<?php
+class Test extends ArrayIterator {
+    function &key() {
+        return $foo;
+    }
+}
+foreach (new Test([0]) as $k => $v) {
+    var_dump($k);
+}
+?>
+--EXPECT--
+NULL
+diff --git a/Zend/zend_interfaces.c b/Zend/zend_interfaces.c
+index 0d5af66..51b7717 100644
+--- a/Zend/zend_interfaces.c
+++ b/Zend/zend_interfaces.c
+@@ -154,6 +154,9 @@ ZEND_API void zend_user_it_get_current_key(zend_object_iterator *_iter, zval *ke
+ 	zend_user_iterator *iter = (zend_user_iterator*)_iter;
+ 	zval *object = &iter->it.data;
+ 	zend_call_method_with_0_params(Z_OBJ_P(object), iter->ce, &iter->ce->iterator_funcs_ptr->zf_key, "key", key);
+	if (UNEXPECTED(Z_ISREF_P(key))) {
+		zend_unwrap_reference(key);
+	}
+ }
+ /* }}} */
+ 
+-- 
+1.8.3.1
+
--- a/backport-Handle-throwing-destructor-in-BIND_STATIC.patch
+++ b/backport-Handle-throwing-destructor-in-BIND_STATIC.patch
@ -0,0 +1,88 @@
+From ec54ffad1e3b15fedfd07f7d29d97ec3e8d1c45a Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Wed, 29 Sep 2021 10:14:33 +0200
+Subject: [PATCH] Handle throwing destructor in BIND_STATIC
+
+Fixes oss-fuzz #39406.
+---
+ Zend/tests/bind_static_exception.phpt | 18 ++++++++++++++++++
+ Zend/zend_vm_def.h                    |  4 ++--
+ Zend/zend_vm_execute.h                |  4 ++--
+ 3 files changed, 22 insertions(+), 4 deletions(-)
+ create mode 100644 Zend/tests/bind_static_exception.phpt
+
+diff --git a/Zend/tests/bind_static_exception.phpt b/Zend/tests/bind_static_exception.phpt
+new file mode 100644
+index 0000000..c374130
+--- /dev/null
+++ b/Zend/tests/bind_static_exception.phpt
+@@ -0,0 +1,18 @@
+--TEST--
+BIND_STATIC may destroy a variable with a throwing destructor
+--FILE--
+<?php
+class Test {
+    function __destruct() {
+        throw new Exception("Foo");
+    }
+}
+try {
+    $new = new Test;
+    static $new;
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Foo
+diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
+index 3262ddb..f324d80 100644
+--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
+@@ -8652,9 +8652,9 @@ ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, UNUSED, REF)
+ 
+ 	value = (zval*)((char*)ht->arData + (opline->extended_value & ~(ZEND_BIND_REF|ZEND_BIND_IMPLICIT)));
+ 
+	SAVE_OPLINE();
+ 	if (opline->extended_value & ZEND_BIND_REF) {
+ 		if (Z_TYPE_P(value) == IS_CONSTANT_AST) {
+-			SAVE_OPLINE();
+ 			if (UNEXPECTED(zval_update_constant_ex(value, EX(func)->op_array.scope) != SUCCESS)) {
+ 				HANDLE_EXCEPTION();
+ 			}
+@@ -8679,7 +8679,7 @@ ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, UNUSED, REF)
+ 		ZVAL_COPY(variable_ptr, value);
+ 	}
+ 
+-	ZEND_VM_NEXT_OPCODE();
+	ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
+ }
+ 
+ ZEND_VM_HOT_HANDLER(184, ZEND_FETCH_THIS, UNUSED, UNUSED)
+diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
+index 987406a..a4a268d 100644
+--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
+@@ -46983,9 +46983,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_BIND_STATIC_SPEC_CV_UNUSED_HAN
+ 
+ 	value = (zval*)((char*)ht->arData + (opline->extended_value & ~(ZEND_BIND_REF|ZEND_BIND_IMPLICIT)));
+ 
+	SAVE_OPLINE();
+ 	if (opline->extended_value & ZEND_BIND_REF) {
+ 		if (Z_TYPE_P(value) == IS_CONSTANT_AST) {
+-			SAVE_OPLINE();
+ 			if (UNEXPECTED(zval_update_constant_ex(value, EX(func)->op_array.scope) != SUCCESS)) {
+ 				HANDLE_EXCEPTION();
+ 			}
+@@ -47010,7 +47010,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_BIND_STATIC_SPEC_CV_UNUSED_HAN
+ 		ZVAL_COPY(variable_ptr, value);
+ 	}
+ 
+-	ZEND_VM_NEXT_OPCODE();
+	ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();
+ }
+ 
+ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_CHECK_VAR_SPEC_CV_UNUSED_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
+-- 
+1.8.3.1
+
--- a/backport-Undef-slot-before-destroying-in-unset_property.patch
+++ b/backport-Undef-slot-before-destroying-in-unset_property.patch
@ -0,0 +1,105 @@
+From ebd3a210021ec3b8f210822f0c69ee8f3132f1dc Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikita.ppv@gmail.com>
+Date: Thu, 15 Jul 2021 09:29:08 +0200
+Subject: [PATCH] Undef slot before destroying in unset_property
+
+We need to make sure that destructors can't access the partially
+destroyed property. Do the same we do in HTs.
+
+Fixes oss-fuzz #36205.
+---
+ Zend/tests/unset_prop_recursion.phpt | 65 ++++++++++++++++++++++++++++++++++++
+ Zend/zend_object_handlers.c          |  4 ++-
+ 2 files changed, 68 insertions(+), 1 deletion(-)
+ create mode 100644 Zend/tests/unset_prop_recursion.phpt
+
+diff --git a/Zend/tests/unset_prop_recursion.phpt b/Zend/tests/unset_prop_recursion.phpt
+new file mode 100644
+index 0000000..afb1929
+--- /dev/null
+++ b/Zend/tests/unset_prop_recursion.phpt
+@@ -0,0 +1,65 @@
+--TEST--
+Unset property where unset will recursively access property again
+--FILE--
+<?php
+class Node {
+    public $parent = null;
+    public $children = [];
+    function insert(Node $node) {
+        $node->parent = $this;
+        $this->children[] = $node;
+    }
+    function __destruct() {
+        var_dump($this);
+        unset($this->children);
+    }
+}
+
+$a = new Node;
+$a->insert(new Node);
+$a->insert(new Node);
+?>
+--EXPECT--
+object(Node)#1 (2) {
+  ["parent"]=>
+  NULL
+  ["children"]=>
+  array(2) {
+    [0]=>
+    object(Node)#2 (2) {
+      ["parent"]=>
+      *RECURSION*
+      ["children"]=>
+      array(0) {
+      }
+    }
+    [1]=>
+    object(Node)#3 (2) {
+      ["parent"]=>
+      *RECURSION*
+      ["children"]=>
+      array(0) {
+      }
+    }
+  }
+}
+object(Node)#2 (2) {
+  ["parent"]=>
+  object(Node)#1 (2) {
+    ["parent"]=>
+    NULL
+  }
+  ["children"]=>
+  array(0) {
+  }
+}
+object(Node)#3 (2) {
+  ["parent"]=>
+  object(Node)#1 (2) {
+    ["parent"]=>
+    NULL
+  }
+  ["children"]=>
+  array(0) {
+  }
+}
+diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
+index 7c2bd13..e61a5af 100644
+--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
+@@ -1137,8 +1137,10 @@ ZEND_API void zend_std_unset_property(zval *object, zval *member, void **cache_s
+ 					ZEND_REF_DEL_TYPE_SOURCE(Z_REF_P(slot), prop_info);
+ 				}
+ 			}
+-			zval_ptr_dtor(slot);
+			zval tmp;
+			ZVAL_COPY_VALUE(&tmp, slot);
+ 			ZVAL_UNDEF(slot);
+			zval_ptr_dtor(&tmp);
+ 			if (zobj->properties) {
+ 				HT_FLAGS(zobj->properties) |= HASH_FLAG_HAS_EMPTY_IND;
+ 			}
+-- 
+1.8.3.1
+
--- a/php.spec
+++ b/php.spec
@ -27,7 +27,7 @@

 Name:          php
 Version:       %{upver}%{?rcver:~%{rcver}}
-Release:       6
+Release:       7
 Summary:       PHP scripting language for creating dynamic web sites
 License:       PHP and Zend-2.0 and BSD and MIT and ASL 1.0 and NCSA
 URL:           http://www.php.net/
@ -65,6 +65,12 @@ Patch13:       backport-0001-CVE-2021-21705.patch
 Patch14:       backport-0002-CVE-2021-21705.patch
 Patch15:       backport-CVE-2021-21704.patch
 Patch16:       backport-CVE-2021-21703.patch
+Patch17:       backport-Handle-throwing-destructor-in-BIND_STATIC.patch
+Patch18:       backport-Bail-on-exception-during-delayed-autoload.patch
+Patch19:       backport-Fix-ASSIGN_DIM-to-NEXT-with-rc-1-reference-value.patch
+Patch20:       backport-Undef-slot-before-destroying-in-unset_property.patch
+Patch21:       backport-Handle-ref-return-from-Iterator-key.patch
+Patch22:       backport-Fix-return-by-ref-from-array_reduce-callback.patch

 BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
 BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@ -1103,6 +1109,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :


 %changelog
+* Sat Dec 18 2021 yixiangzhike <yixiangzhike007@163.com> - 8.0.0-7
+- Fix bugs found by oss-fuzz
+
 * Thu Nov 4 2021 panxiaohe <panxiaohe@huawei.com> - 8.0.0-6
 - Fix CVE-2021-21703