From 1762a879323177b4a6e6b597b48bdf53a052d345 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Thu, 14 Apr 2022 16:07:36 +0200 Subject: [PATCH] Fix GH-8366: ArrayIterator may leak when calling __construct() When we detach an iterator, we also have to delete it. Closes GH-8374. --- NEWS | 4 ++++ ext/spl/spl_array.c | 5 ++++- ext/spl/tests/gh8366.phpt | 9 +++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 ext/spl/tests/gh8366.phpt diff --git a/NEWS b/NEWS index 79ff4202e2e..a0495599086 100644 --- a/NEWS +++ b/NEWS @@ -18,6 +18,10 @@ PHP NEWS . Fixed bug GH-8267 (MySQLi uses unsupported format specifier on Windows). (cmb) +- SPL: + . Fixed bug GH-8366 (ArrayIterator may leak when calling __construct()). + (cmb) + - Streams: . Fixed php://temp does not preserve file-position when switched to temporary file. (Bernd Holzmüller) diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 9c8f95ee784..c8008e6b22a 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -1129,7 +1129,10 @@ static void spl_array_set_array(zval *object, spl_array_object *intern, zval *ar intern->ar_flags &= ~SPL_ARRAY_IS_SELF & ~SPL_ARRAY_USE_OTHER; intern->ar_flags |= ar_flags; - intern->ht_iter = (uint32_t)-1; + if (intern->ht_iter != (uint32_t)-1) { + zend_hash_iterator_del(intern->ht_iter); + intern->ht_iter = (uint32_t)-1; + } } /* }}} */ diff --git a/ext/spl/tests/gh8366.phpt b/ext/spl/tests/gh8366.phpt new file mode 100644 index 00000000000..1da5360cc96 --- /dev/null +++ b/ext/spl/tests/gh8366.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug GH-8366 (ArrayIterator may leak when calling __construct()) +--FILE-- +__construct([]); +?> +--EXPECT--