Fix $GLOBALS[] in isset and unset

I've previously addressed the case of assignments, but the same
issue exists for isset and unset.

Fixes oss-fuzz #29699.

3 files changed, 24 insertions, 0 deletions

diff --git a/Zend/tests/restrict_globals/invalid_append_isset.phpt b/Zend/tests/restrict_globals/invalid_append_isset.phpt
new file mode 100644
index 0000000000..6cb57351e7
--- /dev/null
+++ b/Zend/tests/restrict_globals/invalid_append_isset.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Cannot append to $GLOBALS in isset()
+--FILE--
+<?php
+isset($GLOBALS[]);
+?>
+--EXPECTF--
+Fatal error: Cannot use [] for reading in %s on line %d
diff --git a/Zend/tests/restrict_globals/invalid_append_unset.phpt b/Zend/tests/restrict_globals/invalid_append_unset.phpt
new file mode 100644
index 0000000000..b7c06179c7
--- /dev/null
+++ b/Zend/tests/restrict_globals/invalid_append_unset.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Cannot append to $GLOBALS in unset()
+--FILE--
+<?php
+unset($GLOBALS[]);
+?>
+--EXPECTF--
+Fatal error: Cannot use [] for unsetting in %s on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 06c0034bc2..d1ea49342e 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -4692,6 +4692,10 @@ void zend_compile_unset(zend_ast *ast) /* {{{ */
 	zend_ensure_writable_variable(var_ast);
 
 	if (is_global_var_fetch(var_ast)) {
+		if (!var_ast->child[1]) {
+			zend_error_noreturn(E_COMPILE_ERROR, "Cannot use [] for unsetting");
+		}
+
 		zend_compile_expr(&var_node, var_ast->child[1]);
 		if (var_node.op_type == IS_CONST) {
 			convert_to_string(&var_node.u.constant);
@@ -8790,6 +8794,10 @@ void zend_compile_isset_or_empty(znode *result, zend_ast *ast) /* {{{ */
 	}
 
 	if (is_global_var_fetch(var_ast)) {
+		if (!var_ast->child[1]) {
+			zend_error_noreturn(E_COMPILE_ERROR, "Cannot use [] for reading");
+		}
+
 		zend_compile_expr(&var_node, var_ast->child[1]);
 		if (var_node.op_type == IS_CONST) {
 			convert_to_string(&var_node.u.constant);