From: andrewnester Date: Mon, 24 Jul 2017 15:41:02 +0000 (+0300) Subject: Fixed #74977 - Appending AppendIterator leads to segfault X-Git-Tag: php-7.2.0beta2~44^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=dbc2ffba822d13e74e37f5ba6e106f163c1008e8;p=php Fixed #74977 - Appending AppendIterator leads to segfault --- diff --git a/NEWS b/NEWS index c00851fda6..539c8496de 100644 --- a/NEWS +++ b/NEWS @@ -24,6 +24,8 @@ PHP NEWS - SPL: . Fixed bug #74669 (Unserialize ArrayIterator broken). (Andrew Nester) + . Fixed bug #74977 (Appending AppendIterator leads to segfault). + (Andrew Nester) 03 Aug 2017, PHP 7.1.8 diff --git a/ext/spl/spl_iterators.c b/ext/spl/spl_iterators.c index 72e0f2f606..772d5ceabb 100644 --- a/ext/spl/spl_iterators.c +++ b/ext/spl/spl_iterators.c @@ -3366,7 +3366,7 @@ SPL_METHOD(AppendIterator, __construct) Append an iterator */ SPL_METHOD(AppendIterator, append) { - spl_dual_it_object *intern; + spl_dual_it_object *intern, *appender; zval *it; SPL_FETCH_AND_CHECK_DUAL_IT(intern, getThis()); @@ -3378,6 +3378,11 @@ SPL_METHOD(AppendIterator, append) spl_array_iterator_append(&intern->u.append.zarrayit, it); intern->u.append.iterator->funcs->move_forward(intern->u.append.iterator); }else{ + appender = Z_SPLDUAL_IT_P(it); + if (appender->dit_type == DIT_AppendIterator) { + spl_array_iterator_append(&intern->u.append.zarrayit, &appender->u.append.zarrayit); + return; + } spl_array_iterator_append(&intern->u.append.zarrayit, it); } diff --git a/ext/spl/tests/bug74977.phpt b/ext/spl/tests/bug74977.phpt new file mode 100644 index 0000000000..09e16eedfe --- /dev/null +++ b/ext/spl/tests/bug74977.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #74977: Recursion leads to crash +--FILE-- +append($iterator); +var_dump($iterator); +?> +--EXPECTF-- +object(AppendIterator)#1 (0) { +} +