Merge branch 'PHP-8.4'

* PHP-8.4: [ci skip] Fix NEWS order Fix GH-18018: RC1 data returned from offsetGet causes UAF in ArrayObject
2026-03-24 08:12:21 +01:00 · 2025-03-13 19:11:59 +01:00
parent 11ec2cb94a 3c17d3fc05
commit fc047b4e00
2 changed files with 24 additions and 2 deletions
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -665,12 +665,14 @@ static bool spl_array_has_dimension_ex(bool check_inherited, zend_object *object
 		}
 	}

+	/* empty() check the value is not falsy, isset() only check it is not null */
+	bool result = check_empty ? zend_is_true(value) : Z_TYPE_P(value) != IS_NULL;
+
 	if (value == &rv) {
 		zval_ptr_dtor(&rv);
 	}

-	/* empty() check the value is not falsy, isset() only check it is not null */
-	return check_empty ? zend_is_true(value) : Z_TYPE_P(value) != IS_NULL;
+	return result;
 } /* }}} */

 static int spl_array_has_dimension(zend_object *object, zval *offset, int check_empty) /* {{{ */
--- a/ext/spl/tests/gh18018.phpt
+++ b/ext/spl/tests/gh18018.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GH-18018 (RC1 data returned from offsetGet causes UAF in ArrayObject)
+--FILE--
+<?php
+class Crap extends ArrayObject
+{
+    public function offsetGet($offset): mixed
+    {
+        return [random_int(1,1)];
+    }
+}
+
+$values = ['qux' => 1];
+
+$object = new Crap($values);
+
+var_dump(empty($object['qux']));
+?>
+--EXPECT--
+bool(false)