Closed as duplicate of#16726
Description
Description
The following code:
<?php
$var1[][]=$l;
set_error_handler(
function()use(&$var1){
$var1=0;
}
);
$var1[0].=0;Resulted in this crashing status by the fuzzing driver php-fuzz-execute:
==961978== ERROR: libFuzzer: deadly signal
#0 zend_gc_delref () at Zend/zend_types.h:1371
#1 i_zval_ptr_dtor () at Zend/zend_variables.h:44
#2 concat_function () at Zend/zend_operators.c:2085
#3 zend_binary_op () at Zend/zend_execute.c:1635
#4 ZEND_ASSIGN_DIM_OP_SPEC_CV_CONST_HANDLER () at Zend/zend_vm_execute.h:42722
#5 fuzzer_execute_ex () at sapi/fuzzer/fuzzer-execute-common.h:59
#6 zend_execute () at Zend/zend_vm_execute.h:64385
#7 fuzzer_do_request_from_buffer () at sapi/fuzzer/fuzzer-sapi.c:274
#8 LLVMFuzzerTestOneInput () at sapi/fuzzer/fuzzer-execute.c:27
PHP Version
dbabbe180b157eeaac5002276667f1f56f0b4def 2025-06-10 22:35:56+0200
Operating System
Linux