turkdevops · pull · Feb 5, 2026 · Feb 4, 2026 · Feb 4, 2026 · Feb 4, 2026
diff --git a/Zend/tests/oss-fuzz-478009707.phpt b/Zend/tests/oss-fuzz-478009707.phpt
@@ -0,0 +1,23 @@
+--TEST--
+OSS-Fuzz #478009707: Assign-op/inc/dec on untyped hooked property backing value
+--FILE--
+<?php
+
+class C {
+    public $prop {
+        set {
+            $this->prop = $value;
+            $this->prop += 1;
+            $this->prop++;
+            ++$this->prop;
+        }
+    }
+}
+
+$c = new C(1);
+$c->prop = 1;
+var_dump($c->prop);
+
+?>
+--EXPECT--
+int(4)
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
@@ -3465,12 +3465,14 @@ ZEND_API zend_mm_heap *zend_mm_startup(void)
 ZEND_API zend_mm_heap *zend_mm_startup_ex(const zend_mm_handlers *handlers, void *data, size_t data_size)
 {
 #if ZEND_MM_STORAGE
-	zend_mm_storage tmp_storage, *storage;
+	zend_mm_storage *storage;
+	zend_mm_storage tmp_storage = {
+		.handlers = *handlers,
+		.data = data,
+	};
 	zend_mm_chunk *chunk;
 	zend_mm_heap *heap;
 
-	memcpy((zend_mm_handlers*)&tmp_storage.handlers, handlers, sizeof(zend_mm_handlers));
-	tmp_storage.data = data;
 	chunk = (zend_mm_chunk*)handlers->chunk_alloc(&tmp_storage, ZEND_MM_CHUNK_SIZE, ZEND_MM_CHUNK_SIZE);
 	if (UNEXPECTED(chunk == NULL)) {
 #if ZEND_MM_ERROR

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -1070,7 +1070,7 @@ ZEND_VM_C_LABEL(assign_op_object):
 					}
 
 					prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2);
-					if (prop_info) {
+					if (prop_info && ZEND_TYPE_IS_SET(prop_info->type)) {
 						/* special case for typed properties */
 						zend_binary_assign_op_typed_prop(prop_info, zptr, value OPLINE_CC EXECUTE_DATA_CC);
 					} else {
@@ -1335,7 +1335,8 @@ ZEND_VM_C_LABEL(pre_incdec_object):
 				}
 			} else {
 				prop_info = (zend_property_info *) CACHED_PTR_EX(cache_slot + 2);
-				zend_pre_incdec_property_zval(zptr, prop_info OPLINE_CC EXECUTE_DATA_CC);
+				zend_pre_incdec_property_zval(zptr,
+					prop_info && ZEND_TYPE_IS_SET(prop_info->type) ? prop_info : NULL OPLINE_CC EXECUTE_DATA_CC);
 			}
 		} else {
 			zend_pre_incdec_overloaded_property(zobj, name, cache_slot OPLINE_CC EXECUTE_DATA_CC);
@@ -1403,7 +1404,8 @@ ZEND_VM_C_LABEL(post_incdec_object):
 				ZVAL_NULL(EX_VAR(opline->result.var));
 			} else {
 				prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2);
-				zend_post_incdec_property_zval(zptr, prop_info OPLINE_CC EXECUTE_DATA_CC);
+				zend_post_incdec_property_zval(zptr,
+					prop_info && ZEND_TYPE_IS_SET(prop_info->type) ? prop_info : NULL OPLINE_CC EXECUTE_DATA_CC);
 			}
 		} else {
 			zend_post_incdec_overloaded_property(zobj, name, cache_slot OPLINE_CC EXECUTE_DATA_CC);

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
diff --git a/ext/curl/interface.c b/ext/curl/interface.c
@@ -2278,11 +2278,7 @@ PHP_FUNCTION(curl_setopt)
 
 	ch = Z_CURL_P(zid);
 
-	if (_php_curl_setopt(ch, options, zvalue, 0) == SUCCESS) {
-		RETURN_TRUE;
-	} else {
-		RETURN_FALSE;
-	}
+	RETURN_BOOL(_php_curl_setopt(ch, options, zvalue, 0) == SUCCESS);
 }
 /* }}} */
 

diff --git a/ext/filter/filter.c b/ext/filter/filter.c
@@ -479,11 +479,7 @@ PHP_FUNCTION(filter_has_var)
 		RETURN_THROWS();
 	}
 
-	if (array_ptr && zend_hash_exists(Z_ARRVAL_P(array_ptr), var)) {
-		RETURN_TRUE;
-	}
-
-	RETURN_FALSE;
+	RETURN_BOOL(array_ptr && zend_hash_exists(Z_ARRVAL_P(array_ptr), var));
 }
 /* }}} */
 

diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c
@@ -486,7 +486,7 @@ PS_READ_FUNC(files)
 		return SUCCESS;
 	}
 
-	*val = zend_string_alloc(sbuf.st_size, 0);
+	*val = zend_string_alloc(sbuf.st_size, false);
 
 #ifdef HAVE_PREAD
 	n = pread(data->fd, ZSTR_VAL(*val), ZSTR_LEN(*val), 0);
@@ -519,7 +519,7 @@ PS_READ_FUNC(files)
 		} else {
 			php_error_docref(NULL, E_WARNING, "Read returned less bytes than requested");
 		}
-		zend_string_release_ex(*val, 0);
+		zend_string_release_ex(*val, false);
 		*val =  ZSTR_EMPTY_ALLOC();
 		return FAILURE;
 	}
@@ -675,7 +675,7 @@ PS_CREATE_SID_FUNC(files)
 		/* Check collision */
 		/* FIXME: mod_data(data) should not be NULL (User handler could be NULL) */
 		if (data && ps_files_key_exists(data, sid) == SUCCESS) {
-			zend_string_release_ex(sid, 0);
+			zend_string_release_ex(sid, false);
 			sid = NULL;
 			if (--maxfail < 0) {
 				return NULL;

diff --git a/ext/session/mod_mm.c b/ext/session/mod_mm.c
@@ -359,15 +359,15 @@ PS_READ_FUNC(mm)
 			return FAILURE;
 		}
 		if (PS(use_cookies)) {
-			PS(send_cookie) = 1;
+			PS(send_cookie) = true;
 		}
 		php_session_reset_id();
 		PS(session_status) = php_session_active;
 	}
 
 	sd = ps_sd_lookup(data, PS(id), false);
 	if (sd) {
-		*val = zend_string_init(sd->data, sd->datalen, 0);
+		*val = zend_string_init(sd->data, sd->datalen, false);
 		ret = SUCCESS;
 	}
 
@@ -476,7 +476,7 @@ PS_CREATE_SID_FUNC(mm)
 		/* Check collision */
 		if (ps_mm_key_exists(data, sid) == SUCCESS) {
 			if (sid) {
-				zend_string_release_ex(sid, 0);
+				zend_string_release_ex(sid, false);
 				sid = NULL;
 			}
 			if (!(maxfail--)) {

diff --git a/ext/session/mod_user.c b/ext/session/mod_user.c
@@ -27,19 +27,19 @@ static void ps_call_handler(zval *func, int argc, zval *argv, zval *retval)
 {
 	int i;
 	if (PS(in_save_handler)) {
-		PS(in_save_handler) = 0;
+		PS(in_save_handler) = false;
 		ZVAL_UNDEF(retval);
 		php_error_docref(NULL, E_WARNING, "Cannot call session save handler in a recursive manner");
 		return;
 	}
-	PS(in_save_handler) = 1;
+	PS(in_save_handler) = true;
 	if (call_user_function(NULL, NULL, func, retval, argc, argv) == FAILURE) {
 		zval_ptr_dtor(retval);
 		ZVAL_UNDEF(retval);
 	} else if (Z_ISUNDEF_P(retval)) {
 		ZVAL_NULL(retval);
 	}
-	PS(in_save_handler) = 0;
+	PS(in_save_handler) = false;
 	for (i = 0; i < argc; i++) {
 		zval_ptr_dtor(&argv[i]);
 	}
@@ -100,7 +100,7 @@ PS_OPEN_FUNC(user)
 		zend_bailout();
 	} zend_end_try();
 
-	PS(mod_user_implemented) = 1;
+	PS(mod_user_implemented) = true;
 
 	ret = verify_bool_return_type_userland_calls(&retval);
 	zval_ptr_dtor(&retval);
@@ -109,7 +109,7 @@ PS_OPEN_FUNC(user)
 
 PS_CLOSE_FUNC(user)
 {
-	bool bailout = 0;
+	bool bailout = false;
 	zval retval;
 	zend_result ret = FAILURE;
 
@@ -123,10 +123,10 @@ PS_CLOSE_FUNC(user)
 	zend_try {
 		ps_call_handler(&PSF(close), 0, NULL, &retval);
 	} zend_catch {
-		bailout = 1;
+		bailout = true;
 	} zend_end_try();
 
-	PS(mod_user_implemented) = 0;
+	PS(mod_user_implemented) = false;
 
 	if (bailout) {
 		if (!Z_ISUNDEF(retval)) {

diff --git a/ext/session/mod_user_class.c b/ext/session/mod_user_class.c
@@ -54,7 +54,7 @@ PHP_METHOD(SessionHandler, open)
 	} zend_end_try();
 
 	if (SUCCESS == ret) {
-		PS(mod_user_is_open) = 1;
+		PS(mod_user_is_open) = true;
 	}
 
 	RETURN_BOOL(SUCCESS == ret);
@@ -70,7 +70,7 @@ PHP_METHOD(SessionHandler, close)
 
 	PS_SANITY_CHECK_IS_OPEN;
 
-	PS(mod_user_is_open) = 0;
+	PS(mod_user_is_open) = false;
 
 	zend_try {
 		ret = PS(default_mod)->s_close(&PS(mod_data));

diff --git a/ext/session/php_session.h b/ext/session/php_session.h
@@ -264,7 +264,7 @@ PHPAPI zend_result php_session_register_serializer(const char *name,
 	        zend_result (*decode)(PS_SERIALIZER_DECODE_ARGS));
 
 PHPAPI zend_result php_session_start(void);
-PHPAPI zend_result php_session_flush(int write);
+PHPAPI zend_result php_session_flush(bool write);
 PHPAPI php_session_status php_get_session_status(void);
 
 PHPAPI const ps_module *_php_find_ps_module(const char *name);