Fixed #74977 - Appending AppendIterator leads to segfault

diff --git a/NEWS b/NEWS
index c00851fda62d1d25380e2a4c8d4a390230d3bbf5..539c8496dea09604a3d4ddd99e1957d7591804b9 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -24,6 +24,8 @@ PHP                                                                        NEWS
 
 - SPL:
   . Fixed bug #74669 (Unserialize ArrayIterator broken). (Andrew Nester)
+  . Fixed bug #74977 (Appending AppendIterator leads to segfault). 
+    (Andrew Nester)
 
 03 Aug 2017, PHP 7.1.8
 

diff --git a/ext/spl/spl_iterators.c b/ext/spl/spl_iterators.c
index 72e0f2f60621bc87de9eebab972d91692fa06fe6..772d5ceabbc1ed3002be320b9e9659690170e56c 100644 (file)
--- a/ext/spl/spl_iterators.c
+++ b/ext/spl/spl_iterators.c
@@ -3366,7 +3366,7 @@ SPL_METHOD(AppendIterator, __construct)
    Append an iterator */
 SPL_METHOD(AppendIterator, append)
 {
-       spl_dual_it_object   *intern;
+       spl_dual_it_object   *intern, *appender;
        zval *it;
 
        SPL_FETCH_AND_CHECK_DUAL_IT(intern, getThis());
@@ -3378,6 +3378,11 @@ SPL_METHOD(AppendIterator, append)
                spl_array_iterator_append(&intern->u.append.zarrayit, it);
                intern->u.append.iterator->funcs->move_forward(intern->u.append.iterator);
        }else{
+               appender = Z_SPLDUAL_IT_P(it);
+               if (appender->dit_type == DIT_AppendIterator) {
+                       spl_array_iterator_append(&intern->u.append.zarrayit, &appender->u.append.zarrayit);
+                       return;
+               }
                spl_array_iterator_append(&intern->u.append.zarrayit, it);
        }
 

diff --git a/ext/spl/tests/bug74977.phpt b/ext/spl/tests/bug74977.phpt
new file mode 100644 (file)
index 0000000..09e16ee
--- /dev/null
+++ b/ext/spl/tests/bug74977.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #74977:    Recursion leads to crash
+--FILE--
+<?php
+
+$iterator = new AppendIterator(array("A","A","A"));
+$iterator->append($iterator);
+var_dump($iterator);
+?>
+--EXPECTF--
+object(AppendIterator)#1 (0) {
+}
+