Fix bug #71735: Double-free in SplDoublyLinkedList::offsetSet

diff --git a/NEWS b/NEWS
index 3fd121c030032f8b81802030fe36084b1ea19b32..fc6a40b806e144a1475dae8e12633af7e780c7ad 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,7 @@ PHP                                                                        NEWS
   . Fixed bug #52339 (SPL autoloader breaks class_exists()). (Nikita)
   . Fixed bug #67582 (Cloned SplObjectStorage with overwritten getHash fails
     offsetExists()). (Nikita)
+  . Fixed bug #71735 (Double-free in SplDoublyLinkedList::offsetSet). (Stas)
 
 - Standard:
   . Fixed bug #71837 (Wrong arrays behaviour). (Laruence)

diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
index aa0c6c384071a52daf815d230424bb9e97577e5b..1675c7eaf3a1d5b0a960512c7dd751a2f1d65a09 100644 (file)
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -830,7 +830,6 @@ SPL_METHOD(SplDoublyLinkedList, offsetSet)
                index = spl_offset_convert_to_long(zindex);
 
                if (index < 0 || index >= intern->llist->count) {
-                       zval_ptr_dtor(value);
                        zend_throw_exception(spl_ce_OutOfRangeException, "Offset invalid or out of range", 0);
                        return;
                }

diff --git a/ext/spl/tests/bug71735.phpt b/ext/spl/tests/bug71735.phpt
new file mode 100644 (file)
index 0000000..9256802
--- /dev/null
+++ b/ext/spl/tests/bug71735.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #71735 (Double-free in SplDoublyLinkedList::offsetSet)
+--FILE--
+<?php
+try {
+$var_1=new SplStack();
+$var_1->offsetSet(100,new DateTime('2000-01-01'));
+} catch(OutOfRangeException $e) {
+       print $e->getMessage()."\n";
+}
+?>
+===DONE===
+--EXPECT--
+Offset invalid or out of range
+===DONE===
\ No newline at end of file