From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 1 Mar 2021 15:20:31 +0000 (+0100)
Subject: Always remove HT iterators, even for uninit HT
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2c508c4d407e98a27ed2631ae88e2e10ee430003;p=php

Always remove HT iterators, even for uninit HT

Fixes oss-fuzz #31423.
---

diff --git a/Zend/tests/array_splice_empty_ht_iter_removal.phpt b/Zend/tests/array_splice_empty_ht_iter_removal.phpt
new file mode 100644
index 0000000000..1461827bc9
--- /dev/null
+++ b/Zend/tests/array_splice_empty_ht_iter_removal.phpt
@@ -0,0 +1,15 @@
+--TEST--
+HT iterator should be destroyed if array becomes empty during array_splice
+--FILE--
+<?php
+$a=[4];
+$i = 0;
+foreach ($a as &$r) {
+    var_dump($r);
+    $a = array_splice($a, 0);
+    if (++$i == 2) break;
+}
+?>
+--EXPECT--
+int(4)
+int(4)
diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c
index d35d8afd53..da150bd798 100644
--- a/Zend/zend_hash.c
+++ b/Zend/zend_hash.c
@@ -1630,10 +1630,10 @@ ZEND_API void ZEND_FASTCALL zend_array_destroy(HashTable *ht)
 	} else if (EXPECTED(HT_FLAGS(ht) & HASH_FLAG_UNINITIALIZED)) {
 		goto free_ht;
 	}
-	zend_hash_iterators_remove(ht);
 	SET_INCONSISTENT(HT_DESTROYED);
 	efree(HT_GET_DATA_ADDR(ht));
 free_ht:
+	zend_hash_iterators_remove(ht);
 	FREE_HASHTABLE(ht);
 }