From f9ce6d8f3aa7a584e1befae166373820787fa522 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Thu, 28 Aug 2025 18:46:20 +0200 Subject: [PATCH] Stale array iterator pointer Fixes GH-19613 Closes GH-19616 --- NEWS | 1 + Zend/tests/gh19613.phpt | 22 ++++++++++++++++++++++ Zend/zend_hash.c | 11 +++++++++-- 3 files changed, 32 insertions(+), 2 deletions(-) create mode 100644 Zend/tests/gh19613.phpt diff --git a/NEWS b/NEWS index d1327afee9a..a85a48b3e0f 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,7 @@ PHP NEWS due to signed int overflow). (ilutov) . Fixed bug GH-19544 (GC treats ZEND_WEAKREF_TAG_MAP references as WeakMap references). (Arnaud, timwolla) + . Fixed bug GH-19613 (Stale array iterator pointer). (ilutov) - Date: . Fixed date_sunrise() and date_sunset() with partial-hour UTC offset. diff --git a/Zend/tests/gh19613.phpt b/Zend/tests/gh19613.phpt new file mode 100644 index 00000000000..cd8360b681c --- /dev/null +++ b/Zend/tests/gh19613.phpt @@ -0,0 +1,22 @@ +--TEST-- +GH-19613: Invalidated array iterator pointer after array separation +--FILE-- + +--EXPECT-- +===DONE=== diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c index 90a36efd2b9..07d5bed6d76 100644 --- a/Zend/zend_hash.c +++ b/Zend/zend_hash.c @@ -630,8 +630,15 @@ ZEND_API HashPosition ZEND_FASTCALL zend_hash_iterator_pos_ex(uint32_t idx, zval && EXPECTED(!HT_ITERATORS_OVERFLOW(ht))) { HT_DEC_ITERATORS_COUNT(iter->ht); } - SEPARATE_ARRAY(array); - ht = Z_ARRVAL_P(array); + + /* Inlined SEPARATE_ARRAY() with updating of iterator when EG(ht_iterators) grows. */ + if (UNEXPECTED(GC_REFCOUNT(ht) > 1)) { + ZVAL_ARR(array, zend_array_dup(ht)); + GC_TRY_DELREF(ht); + iter = EG(ht_iterators) + idx; + ht = Z_ARRVAL_P(array); + } + if (EXPECTED(!HT_ITERATORS_OVERFLOW(ht))) { HT_INC_ITERATORS_COUNT(ht); }