]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fc6f53d)
Remove bogus generator iterator dtor
authorNikita Popov <nikita.ppv@gmail.com>
Tue, 30 Jun 2020 15:28:47 +0000 (17:28 +0200)
committerNikita Popov <nikita.ppv@gmail.com>
Tue, 30 Jun 2020 15:32:42 +0000 (17:32 +0200)
Fixes a use-after-free encountered in Symfony's SecurityBundle.
I don't have a reproducer for this, and believe the issue can only
occur if we leak an iterator (the leak is a separate issue).

We should not free the generator iterator here, because we do not
own it. The code that fetched the iterator is responsible for
releasing it. In the rare case where we do hit this code-path,
we cause a use-after-free.

Zend/zend_generators.c patch | blob | history

diff --git a/Zend/zend_generators.c b/Zend/zend_generators.c
index ee7ae5c4637da73bb81e2f76133935c0073b7cab..4ccb57907f3d79fa91a2afbe3289e751887a1533 100644 (file)
--- a/Zend/zend_generators.c
+++ b/Zend/zend_generators.c
@@ -253,10 +253,6 @@ static void zend_generator_free_storage(zend_object *object) /* {{{ */
        }
 
        zend_object_std_dtor(&generator->std);
-
-       if (generator->iterator) {
-               zend_iterator_dtor(generator->iterator);
-       }
 }
 /* }}} */
 
Unnamed repository; edit this file 'description' to name the repository.