Fix GH-19044: Protected properties are not scoped according to their prototype

bwoebi · bwoebi · commit 1fa44f7dc4c2 · 2025-07-06T03:10:51.000+02:00
diff --git a/NEWS b/NEWS
@@ -11,6 +11,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-18907 (Leak when creating cycle in hook). (ilutov)
   . Fix OSS-Fuzz #427814456. (nielsdos)
   . Fix OSS-Fuzz #428983568 and #428760800. (nielsdos)
+  . Fixed bug GH-19044 (Protected properties are not scoped according to their
+    prototype). (Bob)
 
 - Curl:
   . Fix memory leaks when returning refcounted value from curl callback.
diff --git a/Zend/tests/gh19044.phpt b/Zend/tests/gh19044.phpt
@@ -0,0 +1,26 @@
+--TEST--
+GH-19044: Protected properties must be scoped according to their prototype
+--FILE--
+<?php
+
+abstract class P {
+    protected $foo;
+}
+
+class C1 extends P {
+    protected $foo = 1;
+}
+
+class C2 extends P {
+    protected $foo = 2;
+    
+    static function foo($c) { return $c->foo; }
+}
+
+var_dump(C2::foo(new C2));
+var_dump(C2::foo(new C1));
+
+?>
+--EXPECT--
+int(2)
+int(1)
diff --git a/Zend/tests/property_hooks/gh19044-1.phpt b/Zend/tests/property_hooks/gh19044-1.phpt
@@ -0,0 +1,26 @@
+--TEST--
+GH-19044: Protected properties must be scoped according to their prototype (common ancestor has a protected setter)
+--FILE--
+<?php
+
+abstract class P {
+    abstract public mixed $foo { get; }
+}
+
+class C1 extends P {
+    public protected(set) mixed $foo { get => 1; set {} }
+}
+
+class GrandC1 extends C1 {
+    public protected(set) mixed $foo { get => 2; set {} }
+}
+
+class C2 extends C1 {
+    static function foo($c) { return $c->foo += 1; }
+}
+
+var_dump(C2::foo(new GrandC1));
+
+?>
+--EXPECT--
+int(3)
diff --git a/Zend/tests/property_hooks/gh19044-2.phpt b/Zend/tests/property_hooks/gh19044-2.phpt
@@ -0,0 +1,30 @@
+--TEST--
+GH-19044: Protected properties must be scoped according to their prototype (common ancestor does not have a setter)
+--FILE--
+<?php
+
+abstract class P {
+    abstract public mixed $foo { get; }
+}
+
+class C1 extends P {
+    public mixed $foo { get => 1; }
+}
+
+class GrandC1 extends C1 {
+    public protected(set) mixed $foo { get => 2; set {} }
+}
+
+class C2 extends C1 {
+    static function foo($c) { return $c->foo += 1; }
+}
+
+var_dump(C2::foo(new GrandC1));
+
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Cannot modify protected(set) property GrandC1::$foo from scope C2 in %s:%d
+Stack trace:
+#0 %s(%d): C2::foo(Object(GrandC1))
+#1 {main}
+  thrown in %s on line %d
diff --git a/Zend/tests/property_hooks/gh19044-3.phpt b/Zend/tests/property_hooks/gh19044-3.phpt
@@ -0,0 +1,24 @@
+--TEST--
+GH-19044: Protected properties must be scoped according to their prototype (abstract parent defining visibility only takes precedence)
+--FILE--
+<?php
+
+abstract class P {
+    abstract protected(set) mixed $foo { get; set; }
+}
+
+class C1 extends P {
+    public protected(set) mixed $foo { get => 2; set {} }
+}
+
+class C2 extends P {
+    public mixed $foo = 1;
+
+    static function foo($c) { return $c->foo += 1; }
+}
+
+var_dump(C2::foo(new C1));
+
+?>
+--EXPECT--
+int(3)
diff --git a/Zend/tests/property_hooks/gh19044-4.phpt b/Zend/tests/property_hooks/gh19044-4.phpt
@@ -0,0 +1,28 @@
+--TEST--
+GH-19044: Protected properties must be scoped according to their prototype (abstract parent sets protected(set) with not having grandparent a setter - both inherit from parent)
+--FILE--
+<?php
+
+abstract class GP {
+    abstract mixed $foo { get; }
+}
+
+abstract class P extends GP {
+    abstract protected(set) mixed $foo { get; set; }
+}
+
+class C1 extends P {
+    public protected(set) mixed $foo { get => 2; set {} }
+}
+
+class C2 extends P {
+    public mixed $foo = 1;
+
+    static function foo($c) { return $c->foo += 1; }
+}
+
+var_dump(C2::foo(new C1));
+
+?>
+--EXPECT--
+int(3)
diff --git a/Zend/tests/property_hooks/gh19044-5.phpt b/Zend/tests/property_hooks/gh19044-5.phpt
@@ -0,0 +1,32 @@
+--TEST--
+GH-19044: Protected properties must be scoped according to their prototype (abstract parent sets protected(set) with not having grandparent a setter - one inherits from grandparent)
+--FILE--
+<?php
+
+abstract class GP {
+    abstract mixed $foo { get; }
+}
+
+abstract class P extends GP {
+    abstract protected(set) mixed $foo { get; set; }
+}
+
+class C1 extends P {
+    public protected(set) mixed $foo { get => 2; set {} }
+}
+
+class C2 extends GP {
+    public mixed $foo = 1;
+
+    static function foo($c) { return $c->foo += 1; }
+}
+
+var_dump(C2::foo(new C1));
+
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Cannot modify protected(set) property C1::$foo from scope C2 in %s:%d
+Stack trace:
+#0 %s(%d): C2::foo(Object(C1))
+#1 {main}
+  thrown in %s on line %d
diff --git a/Zend/tests/property_hooks/gh19044.phpt b/Zend/tests/property_hooks/gh19044.phpt
@@ -0,0 +1,26 @@
+--TEST--
+GH-19044: Protected properties must be scoped according to their prototype (hooks variation)
+--FILE--
+<?php
+
+abstract class P {
+    abstract protected $foo { get; }
+}
+
+class C1 extends P {
+    protected $foo = 1;
+}
+
+class C2 extends P {
+    protected $foo = 2;
+    
+    static function foo($c) { return $c->foo; }
+}
+
+var_dump(C2::foo(new C2));
+var_dump(C2::foo(new C1));
+
+?>
+--EXPECT--
+int(2)
+int(1)
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -282,7 +282,20 @@ static zend_always_inline bool is_derived_class(const zend_class_entry *child_cl
 static zend_never_inline int is_protected_compatible_scope(const zend_class_entry *ce, const zend_class_entry *scope) /* {{{ */
 {
 	return scope &&
-		(is_derived_class(ce, scope) || is_derived_class(scope, ce));
+		(ce == scope || is_derived_class(ce, scope) || is_derived_class(scope, ce));
+}
+/* }}} */
+
+static zend_never_inline int is_asymmetric_set_protected_property_compatible_scope(const zend_property_info *info, const zend_class_entry *scope) /* {{{ */
+{
+	zend_class_entry *ce;
+	if (!(info->prototype->flags & ZEND_ACC_PROTECTED_SET) && info->hooks && info->hooks[ZEND_PROPERTY_HOOK_SET]) {
+	       zend_function *hookfn = info->hooks[ZEND_PROPERTY_HOOK_SET];
+	       ce = hookfn->common.prototype ? hookfn->common.prototype->common.scope : hookfn->common.scope;
+	} else {
+	       ce = info->prototype->ce;
+	}
+	return is_protected_compatible_scope(ce, scope);
 }
 /* }}} */
 
@@ -419,7 +432,7 @@ static zend_always_inline uintptr_t zend_get_property_offset(zend_class_entry *c
 				}
 			} else {
 				ZEND_ASSERT(flags & ZEND_ACC_PROTECTED);
-				if (UNEXPECTED(!is_protected_compatible_scope(property_info->ce, scope))) {
+				if (UNEXPECTED(!is_protected_compatible_scope(property_info->prototype->ce, scope))) {
 					goto wrong;
 				}
 			}
@@ -514,7 +527,7 @@ ZEND_API zend_property_info *zend_get_property_info(const zend_class_entry *ce,
 				}
 			} else {
 				ZEND_ASSERT(flags & ZEND_ACC_PROTECTED);
-				if (UNEXPECTED(!is_protected_compatible_scope(property_info->ce, scope))) {
+				if (UNEXPECTED(!is_protected_compatible_scope(property_info->prototype->ce, scope))) {
 					goto wrong;
 				}
 			}
@@ -585,7 +598,7 @@ ZEND_API bool ZEND_FASTCALL zend_asymmetric_property_has_set_access(const zend_p
 		return true;
 	}
 	return EXPECTED((prop_info->flags & ZEND_ACC_PROTECTED_SET)
-		&& is_protected_compatible_scope(prop_info->ce, scope));
+		&& is_asymmetric_set_protected_property_compatible_scope(prop_info, scope));
 }
 
 static void zend_property_guard_dtor(zval *el) /* {{{ */ {
@@ -2030,7 +2043,7 @@ ZEND_API zval *zend_std_get_static_property_with_info(zend_class_entry *ce, zend
 		zend_class_entry *scope = get_fake_or_executed_scope();
 		if (property_info->ce != scope) {
 			if (UNEXPECTED(property_info->flags & ZEND_ACC_PRIVATE)
-			 || UNEXPECTED(!is_protected_compatible_scope(property_info->ce, scope))) {
+			 || UNEXPECTED(!is_protected_compatible_scope(property_info->prototype->ce, scope))) {
 				if (type != BP_VAR_IS) {
 					zend_bad_property_access(property_info, ce, property_name);
 				}

Original file line number	Diff line number	Diff line change
`@@ -282,7 +282,20 @@ static zend_always_inline bool is_derived_class(const zend_class_entry *child_cl`
`282`	`282`	`static zend_never_inline int is_protected_compatible_scope(const zend_class_entry ce, const zend_class_entry scope) /* {{{ */`
`283`	`283`	`{`
`284`	`284`	`return scope &&`
`285`		`- (is_derived_class(ce, scope) \|\| is_derived_class(scope, ce));`
	`285`	`+ (ce == scope \|\| is_derived_class(ce, scope) \|\| is_derived_class(scope, ce));`
	`286`	`+}`
	`287`	`+/* }}} */`
	`288`	`+`
	`289`	`+static zend_never_inline int is_asymmetric_set_protected_property_compatible_scope(const zend_property_info info, const zend_class_entry scope) /* {{{ */`
	`290`	`+{`
	`291`	`+ zend_class_entry *ce;`
	`292`	`+ if (!(info->prototype->flags & ZEND_ACC_PROTECTED_SET) && info->hooks && info->hooks[ZEND_PROPERTY_HOOK_SET]) {`
	`293`	`+ zend_function *hookfn = info->hooks[ZEND_PROPERTY_HOOK_SET];`
	`294`	`+ ce = hookfn->common.prototype ? hookfn->common.prototype->common.scope : hookfn->common.scope;`
	`295`	`+ } else {`
	`296`	`+ ce = info->prototype->ce;`
	`297`	`+ }`
	`298`	`+ return is_protected_compatible_scope(ce, scope);`
`286`	`299`	`}`
`287`	`300`	`/* }}} */`
`288`	`301`
`@@ -419,7 +432,7 @@ static zend_always_inline uintptr_t zend_get_property_offset(zend_class_entry *c`
`419`	`432`	`}`
`420`	`433`	`} else {`
`421`	`434`	`ZEND_ASSERT(flags & ZEND_ACC_PROTECTED);`
`422`		`- if (UNEXPECTED(!is_protected_compatible_scope(property_info->ce, scope))) {`
	`435`	`+ if (UNEXPECTED(!is_protected_compatible_scope(property_info->prototype->ce, scope))) {`
`423`	`436`	`goto wrong;`
`424`	`437`	`}`
`425`	`438`	`}`
`@@ -514,7 +527,7 @@ ZEND_API zend_property_info zend_get_property_info(const zend_class_entry ce,`
`514`	`527`	`}`
`515`	`528`	`} else {`
`516`	`529`	`ZEND_ASSERT(flags & ZEND_ACC_PROTECTED);`
`517`		`- if (UNEXPECTED(!is_protected_compatible_scope(property_info->ce, scope))) {`
	`530`	`+ if (UNEXPECTED(!is_protected_compatible_scope(property_info->prototype->ce, scope))) {`
`518`	`531`	`goto wrong;`
`519`	`532`	`}`
`520`	`533`	`}`
`@@ -585,7 +598,7 @@ ZEND_API bool ZEND_FASTCALL zend_asymmetric_property_has_set_access(const zend_p`
`585`	`598`	`return true;`
`586`	`599`	`}`
`587`	`600`	`return EXPECTED((prop_info->flags & ZEND_ACC_PROTECTED_SET)`
`588`		`- && is_protected_compatible_scope(prop_info->ce, scope));`
	`601`	`+ && is_asymmetric_set_protected_property_compatible_scope(prop_info, scope));`
`589`	`602`	`}`
`590`	`603`
`591`	`604`	`static void zend_property_guard_dtor(zval el) / {{{ */ {`
`@@ -2030,7 +2043,7 @@ ZEND_API zval zend_std_get_static_property_with_info(zend_class_entry ce, zend`
`2030`	`2043`	`zend_class_entry *scope = get_fake_or_executed_scope();`
`2031`	`2044`	`if (property_info->ce != scope) {`
`2032`	`2045`	`if (UNEXPECTED(property_info->flags & ZEND_ACC_PRIVATE)`
`2033`		`- \|\| UNEXPECTED(!is_protected_compatible_scope(property_info->ce, scope))) {`
	`2046`	`+ \|\| UNEXPECTED(!is_protected_compatible_scope(property_info->prototype->ce, scope))) {`
`2034`	`2047`	`if (type != BP_VAR_IS) {`
`2035`	`2048`	`zend_bad_property_access(property_info, ce, property_name);`
`2036`	`2049`	`}`