Merge branch 'PHP-8.0' into PHP-8.1

* PHP-8.0: Fix #80663: Recursive SplFixedArray::setSize() may cause double-free
2026-03-24 08:12:21 +01:00 · 2021-09-28 15:54:49 +02:00
parent d0715aa779 6154aa652d
commit e73cc7aea9
3 changed files with 26 additions and 3 deletions
--- a/4
+++ b/4
@@ -11,6 +11,10 @@ PHP                                                                        NEWS
    ReflectionClass). (Nikita)
  . Fixed bug #81474 (Make ReflectionEnum and related class non-final). (Nikita)

+- SPL:
+  . Fixed bug #80663 (Recursive SplFixedArray::setSize() may cause double-free).
+    (cmb, Nikita, Tyson Andre)
+
 - XML:
  . Fixed bug #70962 (XML_OPTION_SKIP_WHITE strips embedded whitespace).
    (Aliaksandr Bystry, cmb)
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -156,10 +156,14 @@ static void spl_fixedarray_dtor_range(spl_fixedarray *array, zend_long from, zen
 */
 static void spl_fixedarray_dtor(spl_fixedarray *array)
 {
-	zend_long size = array->size;
 	if (!spl_fixedarray_empty(array)) {
-		spl_fixedarray_dtor_range(array, 0, size);
-		efree(array->elements);
+		zval *begin = array->elements, *end = array->elements + array->size;
+		array->elements = NULL;
+		array->size = 0;
+		while (begin != end) {
+			zval_ptr_dtor(--end);
+		}
+		efree(begin);
 	}
 }

--- a/ext/spl/tests/bug80663.phpt
+++ b/ext/spl/tests/bug80663.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #80663 (Recursive SplFixedArray::setSize() may cause double-free)
+--FILE--
+<?php
+class InvalidDestructor {
+    public function __destruct() {
+        $GLOBALS['obj']->setSize(0);
+    }
+}
+
+$obj = new SplFixedArray(1000);
+$obj[0] = new InvalidDestructor();
+$obj->setSize(0);
+?>
+--EXPECT--