From: Xinchen Hui Date: Wed, 2 Jul 2014 09:45:09 +0000 (+0800) Subject: Fixed Bug #67538 (SPL Iterators use-after-free) X-Git-Tag: php-5.5.15RC1~24 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=df78c48354f376cf419d7a97f88ca07d572f00fb;p=php Fixed Bug #67538 (SPL Iterators use-after-free) --- diff --git a/NEWS b/NEWS index 10634a1ab3..7d23ec0ede 100644 --- a/NEWS +++ b/NEWS @@ -21,6 +21,9 @@ PHP NEWS . Fix bug #67550 (Error in code "form" instead of "from", pgsql.c, line 756), which affected builds against libpq < 7.3. (Adam) +- SPL: + . Fixed bug #67538 (SPL Iterators use-after-free). (Laruence) + - Streams: . Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects). (Adam) diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c index 39a0733b9a..0b44d414d8 100644 --- a/ext/spl/spl_dllist.c +++ b/ext/spl/spl_dllist.c @@ -43,12 +43,10 @@ PHPAPI zend_class_entry *spl_ce_SplStack; #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \ efree(elem); \ - elem = NULL; \ } #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \ efree(elem); \ - elem = NULL; \ } #define SPL_LLIST_ADDREF(elem) (elem)->rc++ @@ -916,6 +914,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset) llist->dtor(element TSRMLS_CC); } + if (intern->traverse_pointer == element) { + SPL_LLIST_DELREF(element); + intern->traverse_pointer = NULL; + } + zval_ptr_dtor((zval **)&element->data); element->data = NULL; diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt new file mode 100644 index 0000000000..b6f3848c36 --- /dev/null +++ b/ext/spl/tests/bug67538.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #67538 (SPL Iterators use-after-free) +--FILE-- +push('a'); +$list->push('b'); + +$list->rewind(); +$list->offsetUnset(0); +$list->push('b'); +$list->offsetUnset(0); +$list->next(); +echo "okey"; +?> +--EXPECTF-- +okey