Merge branch 'PHP-5.6'

ext/spl/spl_array.c

@@ -1742,6 +1742,7 @@ SPL_METHOD(Array, unserialize)
 	const unsigned char *p, *s;
 	php_unserialize_data_t var_hash;
 	zval *pmembers, *pflags = NULL;
+	HashTable *aht;
 	long flags;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
@@ -1752,6 +1753,12 @@ SPL_METHOD(Array, unserialize)
 		return;
 	}
 
+	aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
+	if (aht->nApplyCount > 0) {
+		zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
+		return;
+	}
+
 	/* storage */
 	s = p = (const unsigned char*)buf;
 	PHP_VAR_UNSERIALIZE_INIT(var_hash);

ext/spl/spl_dllist.c

@@ -43,12 +43,10 @@ PHPAPI zend_class_entry  *spl_ce_SplStack;
 
 #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
 	efree(elem); \
-	elem = NULL; \
 }
 
 #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
 	efree(elem); \
-	elem = NULL; \
 }
 
 #define SPL_LLIST_ADDREF(elem) (elem)->rc++
@@ -916,6 +914,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset)
 			llist->dtor(element TSRMLS_CC);
 		}
 
+		if (intern->traverse_pointer == element) {
+			SPL_LLIST_DELREF(element);
+			intern->traverse_pointer = NULL;
+		}
+
 		zval_ptr_dtor((zval **)&element->data);
 		element->data = NULL;
 

ext/spl/tests/bug67538.phpt

@@ -0,0 +1,17 @@
+--TEST--
+Bug #67538 (SPL Iterators use-after-free)
+--FILE--
+<?php
+$list = new SplDoublyLinkedList();
+$list->push('a');
+$list->push('b');
+
+$list->rewind();
+$list->offsetUnset(0);
+$list->push('b');
+$list->offsetUnset(0);
+$list->next();
+echo "okey";
+?>
+--EXPECTF--
+okey

ext/spl/tests/bug67539.phpt

@@ -0,0 +1,15 @@
+--TEST--
+Bug #67539 (ArrayIterator use-after-free due to object change during sorting)
+--FILE--
+<?php
+
+$it = new ArrayIterator(array_fill(0,2,'X'), 1 );
+
+function badsort($a, $b) {
+        $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());
+        return TRUE;
+}
+
+$it->uksort('badsort');
+--EXPECTF--
+Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d