Fixed Bug #67538 (SPL Iterators use-after-free)

diff --git a/NEWS b/NEWS
index 10634a1ab362e6bc71a2dc10195f7755e58d7d9b..7d23ec0ede96284f0772629c462b26d7675135bd 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,9 @@ PHP                                                                        NEWS
   . Fix bug #67550 (Error in code "form" instead of "from", pgsql.c, line 756),
     which affected builds against libpq < 7.3. (Adam)
 
+- SPL:
+  . Fixed bug #67538 (SPL Iterators use-after-free). (Laruence)
+
 - Streams:
   . Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects). (Adam)
 

diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
index 39a0733b9ac78901cc7eaf9eba080ff060517771..0b44d414d82378bf2741fcd568dff20f407380a6 100644 (file)
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -43,12 +43,10 @@ PHPAPI zend_class_entry  *spl_ce_SplStack;
 
 #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
        efree(elem); \
-       elem = NULL; \
 }
 
 #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
        efree(elem); \
-       elem = NULL; \
 }
 
 #define SPL_LLIST_ADDREF(elem) (elem)->rc++
@@ -916,6 +914,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset)
                        llist->dtor(element TSRMLS_CC);
                }
 
+               if (intern->traverse_pointer == element) {
+                       SPL_LLIST_DELREF(element);
+                       intern->traverse_pointer = NULL;
+               }
+
                zval_ptr_dtor((zval **)&element->data);
                element->data = NULL;
 

diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt
new file mode 100644 (file)
index 0000000..b6f3848
--- /dev/null
+++ b/ext/spl/tests/bug67538.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #67538 (SPL Iterators use-after-free)
+--FILE--
+<?php
+$list = new SplDoublyLinkedList();
+$list->push('a');
+$list->push('b');
+
+$list->rewind();
+$list->offsetUnset(0);
+$list->push('b');
+$list->offsetUnset(0);
+$list->next();
+echo "okey";
+?>
+--EXPECTF--
+okey