Fixed bug #77530: PHP crashes when parsing "(2)::class"

3 files changed, 19 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 3485917350..56e451b119 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ PHP                                                                        NEWS
   . Fixed bug #77339 (__callStatic may get incorrect arguments). (Dmitry)
   . Fixed bug #77494 (Disabling class causes segfault on member access).
     (Dmitry)
+  . Fixed bug #77530 (PHP crashes when parsing `(2)::class`). (Ekin)
 
 - Curl:
   . Fixed bug #76675 (Segfault with H2 server push). (Pedro Magalhães)
diff --git a/Zend/tests/bug77530.phpt b/Zend/tests/bug77530.phpt
new file mode 100644
index 0000000000..fdb2bac78b
--- /dev/null
+++ b/Zend/tests/bug77530.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #77530: PHP crashes when parsing '(2)::class'
+--FILE--
+<?php
+
+echo (2)::class;
+
+?>
+--EXPECTF--
+Fatal error: Illegal class name in %s on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 28336130cc..46ca21a436 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -1494,6 +1494,7 @@ static void zend_ensure_valid_class_fetch_type(uint32_t fetch_type) /* {{{ */
 static zend_bool zend_try_compile_const_expr_resolve_class_name(zval *zv, zend_ast *class_ast, zend_ast *name_ast, zend_bool constant) /* {{{ */
 {
 	uint32_t fetch_type;
+	zval *class_name;
 
 	if (name_ast->kind != ZEND_AST_ZVAL) {
 		return 0;
@@ -1508,7 +1509,13 @@ static zend_bool zend_try_compile_const_expr_resolve_class_name(zval *zv, zend_a
 			"Dynamic class names are not allowed in compile-time ::class fetch");
 	}
 
-	fetch_type = zend_get_class_fetch_type(zend_ast_get_str(class_ast));
+	class_name = zend_ast_get_zval(class_ast);
+
+	if (Z_TYPE_P(class_name) != IS_STRING) {
+		zend_error_noreturn(E_COMPILE_ERROR, "Illegal class name");
+	}
+
+	fetch_type = zend_get_class_fetch_type(Z_STR_P(class_name));
 	zend_ensure_valid_class_fetch_type(fetch_type);
 
 	switch (fetch_type) {