diff --git a/NEWS b/NEWS index ab0204114cb..8d85684e86b 100644 --- a/NEWS +++ b/NEWS @@ -36,6 +36,10 @@ PHP NEWS - Shmop: . Fixed bug GH-14537 (shmop Windows 11 crashes the process). (nielsdos) +- SPL: + . Fixed bug GH-14639 (Member access within null pointer in + ext/spl/spl_observer.c). (nielsdos) + - Standard: . Fixed bug GH-14775 (range function overflow with negative step argument). (David Carlier) diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c index b996764c1ac..00f25ecbbc4 100644 --- a/ext/spl/spl_observer.c +++ b/ext/spl/spl_observer.c @@ -118,9 +118,11 @@ static void spl_object_storage_free_hash(spl_SplObjectStorage *intern, zend_hash static void spl_object_storage_dtor(zval *element) /* {{{ */ { spl_SplObjectStorageElement *el = Z_PTR_P(element); - zend_object_release(el->obj); - zval_ptr_dtor(&el->inf); - efree(el); + if (el) { + zend_object_release(el->obj); + zval_ptr_dtor(&el->inf); + efree(el); + } } /* }}} */ static spl_SplObjectStorageElement* spl_object_storage_get(spl_SplObjectStorage *intern, zend_hash_key *key) /* {{{ */ @@ -168,8 +170,10 @@ static spl_SplObjectStorageElement *spl_object_storage_attach_handle(spl_SplObje return pelement; } + /* NULL initialization necessary because `spl_object_storage_create_element` could bail out due to OOM. */ + ZVAL_PTR(entry_zv, NULL); pelement = spl_object_storage_create_element(obj, inf); - ZVAL_PTR(entry_zv, pelement); + Z_PTR_P(entry_zv) = pelement; return pelement; } /* }}} */ diff --git a/ext/spl/tests/gh14639.phpt b/ext/spl/tests/gh14639.phpt new file mode 100644 index 00000000000..1b6f621d27b --- /dev/null +++ b/ext/spl/tests/gh14639.phpt @@ -0,0 +1,21 @@ +--TEST-- +GH-14639 (Member access within null pointer in ext/spl/spl_observer.c) +--INI-- +memory_limit=2M +--SKIPIF-- + +--FILE-- + 0; $i--) { + $object = new StdClass(); + $object->a = str_repeat("a", 2); + $b->attach($object); +} +?> +--EXPECTF-- +Fatal error: Allowed memory size of %d bytes exhausted%s(tried to allocate %d bytes) in %s on line %d