From 27affd8da173db7f7db5535c4caaf55d2986f925 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 12 Mar 2025 19:39:58 +0100
Subject: [PATCH 1/2] Fix GH-18018: RC1 data returned from offsetGet causes UAF
 in ArrayObject

We should first check truthiness and only after that destroy the value.

Closes GH-18034.
---
 NEWS                       |  4 ++++
 ext/spl/spl_array.c        |  6 ++++--
 ext/spl/tests/gh18018.phpt | 20 ++++++++++++++++++++
 3 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 ext/spl/tests/gh18018.phpt

diff --git a/NEWS b/NEWS
index 4fa4fee3d84..58de3a7ed3c 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-17989 (mb_output_handler crash with unset
     http_output_conv_mimetypes). (nielsdos)
 
+- SPL:
+  . Fixed bug GH-18018 (RC1 data returned from offsetGet causes UAF in
+    ArrayObject). (nielsdos)
+
 - Treewide:
   . Fixed bug GH-17736 (Assertion failure zend_reference_destroy()). (nielsdos)
 
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index bd03a8aae01..8d4541797a1 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -641,12 +641,14 @@ static bool spl_array_has_dimension_ex(bool check_inherited, zend_object *object
 		}
 	}
 
+	/* empty() check the value is not falsy, isset() only check it is not null */
+	bool result = check_empty ? zend_is_true(value) : Z_TYPE_P(value) != IS_NULL;
+
 	if (value == &rv) {
 		zval_ptr_dtor(&rv);
 	}
 
-	/* empty() check the value is not falsy, isset() only check it is not null */
-	return check_empty ? zend_is_true(value) : Z_TYPE_P(value) != IS_NULL;
+	return result;
 } /* }}} */
 
 static int spl_array_has_dimension(zend_object *object, zval *offset, int check_empty) /* {{{ */
diff --git a/ext/spl/tests/gh18018.phpt b/ext/spl/tests/gh18018.phpt
new file mode 100644
index 00000000000..06fa7fc3d0e
--- /dev/null
+++ b/ext/spl/tests/gh18018.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GH-18018 (RC1 data returned from offsetGet causes UAF in ArrayObject)
+--FILE--
+<?php
+class Crap extends ArrayObject
+{
+    public function offsetGet($offset): mixed
+    {
+        return [random_int(1,1)];
+    }
+}
+
+$values = ['qux' => 1];
+
+$object = new Crap($values);
+
+var_dump(empty($object['qux']));
+?>
+--EXPECT--
+bool(false)

From 3c17d3fc054e3b964b77c7a12a632201bd53b027 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Thu, 13 Mar 2025 19:11:53 +0100
Subject: [PATCH 2/2] [ci skip] Fix NEWS order

---
 NEWS | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 4cb6bbb0912..43f43d7757f 100644
--- a/NEWS
+++ b/NEWS
@@ -28,6 +28,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-17991 (Assertion failure dom_attr_value_write). (nielsdos)
   . Fix weird unpack behaviour in DOM. (nielsdos)
 
+- GD:
+  . Fixed bug GH-17984 (calls with arguments as array with references).
+    (David Carlier)
+
 - Mbstring:
   . Fixed bug GH-17989 (mb_output_handler crash with unset
     http_output_conv_mimetypes). (nielsdos)
@@ -40,10 +44,6 @@ PHP                                                                        NEWS
 - Standard:
   . Fix memory leaks in array_any() / array_all(). (nielsdos)
 
-- GD:
-  . Fixed bug GH-17984 (calls with arguments as array with references).
-    (David Carlier)
-
 - SPL:
   . Fixed bug GH-18018 (RC1 data returned from offsetGet causes UAF in
     ArrayObject). (nielsdos)