From 6887b97a8db2effd0dddeedb4a1aee8809c97ea4 Mon Sep 17 00:00:00 2001
From: Felipe Pena <felipe@php.net>
Date: Sun, 24 Oct 2010 14:03:07 +0000
Subject: [PATCH] - Fixed bug #53144 (SplObjectStorage::removeAll())

---
 ext/spl/spl_observer.c      | 16 ++++++++--------
 ext/spl/tests/bug53144.phpt | 20 ++++++++++++++++++++
 2 files changed, 28 insertions(+), 8 deletions(-)
 create mode 100644 ext/spl/tests/bug53144.phpt

diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index 4b1dd1fa3e..82e0c52d09 100755
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -166,17 +166,17 @@ void spl_object_storage_attach(spl_SplObjectStorage *intern, zval *obj, zval *in
 #endif
 } /* }}} */
 
-void spl_object_storage_detach(spl_SplObjectStorage *intern, zval *obj TSRMLS_DC) /* {{{ */
+int spl_object_storage_detach(spl_SplObjectStorage *intern, zval *obj TSRMLS_DC) /* {{{ */
 {
 #if HAVE_PACKED_OBJECT_VALUE
-	zend_hash_del(&intern->storage, (char*)&Z_OBJVAL_P(obj), sizeof(zend_object_value));
+	return zend_hash_del(&intern->storage, (char*)&Z_OBJVAL_P(obj), sizeof(zend_object_value));
 #else
 	{
 		zend_object_value zvalue;
 		memset(&zvalue, 0, sizeof(zend_object_value));
 		zvalue.handle = Z_OBJ_HANDLE_P(obj);
 		zvalue.handlers = Z_OBJ_HT_P(obj);
-		zend_hash_del(&intern->storage, (char*)&zvalue, sizeof(zend_object_value));
+		return zend_hash_del(&intern->storage, (char*)&zvalue, sizeof(zend_object_value));
 	}
 #endif
 } /* }}}*/
@@ -412,7 +412,6 @@ SPL_METHOD(SplObjectStorage, removeAll)
 	spl_SplObjectStorage *intern = (spl_SplObjectStorage *)zend_object_store_get_object(getThis() TSRMLS_CC);
 	spl_SplObjectStorage *other;
 	spl_SplObjectStorageElement *element;
-	HashPosition pos;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "O", &obj, spl_ce_SplObjectStorage) == FAILURE) {
 		return;
@@ -420,10 +419,11 @@ SPL_METHOD(SplObjectStorage, removeAll)
 
 	other = (spl_SplObjectStorage *)zend_object_store_get_object(obj TSRMLS_CC);
 
-	zend_hash_internal_pointer_reset_ex(&other->storage, &pos);
-	while (zend_hash_get_current_data_ex(&other->storage, (void **)&element, &pos) == SUCCESS) {
-		spl_object_storage_detach(intern, element->obj TSRMLS_CC);
-		zend_hash_move_forward_ex(&other->storage, &pos);
+	zend_hash_internal_pointer_reset(&other->storage);
+	while (zend_hash_get_current_data(&other->storage, (void **)&element) == SUCCESS) {
+		if (spl_object_storage_detach(intern, element->obj TSRMLS_CC) == FAILURE) {
+			zend_hash_move_forward(&other->storage);
+		}
 	}
 
 	zend_hash_internal_pointer_reset_ex(&intern->storage, &intern->pos);
diff --git a/ext/spl/tests/bug53144.phpt b/ext/spl/tests/bug53144.phpt
new file mode 100644
index 0000000000..7cf179b3eb
--- /dev/null
+++ b/ext/spl/tests/bug53144.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #53144 (Segfault in SplObjectStorage::removeAll)
+--FILE--
+<?php
+
+$o1 = new StdClass;
+$o2 = new StdClass;
+
+$b = new SplObjectStorage();
+$b[$o1] = "bar";
+$b[$o2] = "baz";
+
+var_dump(count($b));
+$b->removeAll($b);
+var_dump(count($b));
+
+?>
+--EXPECTF--
+int(2)
+int(0)
\ No newline at end of file
-- 
2.40.0