From 86a3d16f09200f25202aafe42d0013fc875521aa Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Fri, 5 Dec 2025 19:32:40 +0100
Subject: [PATCH] Fix dumping function signature with dynamic class const
 lookup default argument

Fixes OSS-Fuzz #465488618
---
 Zend/tests/oss-fuzz-465488618.phpt | 17 +++++++++++++++++
 Zend/zend_inheritance.c            |  4 +++-
 2 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/oss-fuzz-465488618.phpt

diff --git a/Zend/tests/oss-fuzz-465488618.phpt b/Zend/tests/oss-fuzz-465488618.phpt
new file mode 100644
index 0000000000000..bf953d877231c
--- /dev/null
+++ b/Zend/tests/oss-fuzz-465488618.phpt
@@ -0,0 +1,17 @@
+--TEST--
+OSS-Fuzz #465488618: Dump function signature with dynamic class const lookup default argument
+--FILE--
+<?php
+
+class A {
+    public function test(int $x) {}
+}
+
+class B extends A
+{
+    public function test(string $x = Foo::{C}) {}
+}
+
+?>
+--EXPECTF--
+Fatal error: Declaration of B::test(string $x = <expression>) must be compatible with A::test(int $x) in %s on line %d
diff --git a/Zend/zend_inheritance.c b/Zend/zend_inheritance.c
index 5ba883addca55..a89114b80deea 100644
--- a/Zend/zend_inheritance.c
+++ b/Zend/zend_inheritance.c
@@ -973,7 +973,9 @@ static ZEND_COLD zend_string *zend_get_function_declaration(
 							zend_ast *ast = Z_ASTVAL_P(zv);
 							if (ast->kind == ZEND_AST_CONSTANT) {
 								smart_str_append(&str, zend_ast_get_constant_name(ast));
-							} else if (ast->kind == ZEND_AST_CLASS_CONST) {
+							} else if (ast->kind == ZEND_AST_CLASS_CONST
+							 && ast->child[1]->kind == ZEND_AST_ZVAL
+							 && Z_TYPE_P(zend_ast_get_zval(ast->child[1])) == IS_STRING) {
 								smart_str_append(&str, zend_ast_get_str(ast->child[0]));
 								smart_str_appends(&str, "::");
 								smart_str_append(&str, zend_ast_get_str(ast->child[1]));