php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 08:12:21 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
archived-php-src/ext/spl/tests/bug80663.phpt
Christoph M. Becker 2d6684091f Fix #80663: Recursive SplFixedArray::setSize() may cause double-free 
We address the `::setSize(0)` case by setting `array->element = NULL`
and `array->size = 0` before we destroy the elements.

Co-authored-by: Tyson Andre <tyson.andre@uwaterloo.ca>

Closes GH-7503.
2021-09-28 15:48:53 +02:00

16 lines
300 B
PHP
Raw Permalink Blame History

--TEST--
Bug #80663 (Recursive SplFixedArray::setSize() may cause double-free)
--FILE--
<?php
class InvalidDestructor {
public function __destruct() {
$GLOBALS['obj']->setSize(0);
}
}
$obj = new SplFixedArray(1000);
$obj[0] = new InvalidDestructor();
$obj->setSize(0);
?>
--EXPECT--
Reference in New Issue View Git Blame Copy Permalink