Merge branch 'PHP-8.4'

* PHP-8.4: Fix GH-16589: UAF in SplDoublyLinked->serialize()
2026-03-24 00:02:20 +01:00 · 2024-10-27 19:12:21 +01:00
parent 836a162089 396b995d76
commit 6bf5bde107
2 changed files with 31 additions and 1 deletions
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -41,10 +41,13 @@ PHPAPI zend_class_entry  *spl_ce_SplStack;
 	efree(elem); \
 }

-#define SPL_LLIST_CHECK_DELREF(elem) if ((elem) && !--SPL_LLIST_RC(elem)) { \
+#define SPL_LLIST_CHECK_DELREF_EX(elem, on_free) if ((elem) && !--SPL_LLIST_RC(elem)) { \
 	efree(elem); \
+	on_free \
 }

+#define SPL_LLIST_CHECK_DELREF(elem) SPL_LLIST_CHECK_DELREF_EX(elem, ;)
+
 #define SPL_LLIST_ADDREF(elem) SPL_LLIST_RC(elem)++
 #define SPL_LLIST_CHECK_ADDREF(elem) if (elem) SPL_LLIST_RC(elem)++

@@ -1013,8 +1016,12 @@ PHP_METHOD(SplDoublyLinkedList, serialize)
 		smart_str_appendc(&buf, ':');
 		next = current->next;

+		SPL_LLIST_CHECK_ADDREF(next);
+
 		php_var_serialize(&buf, &current->data, &var_hash);

+		SPL_LLIST_CHECK_DELREF_EX(next, break;);
+
 		current = next;
 	}

--- a/ext/spl/tests/gh16589.phpt
+++ b/ext/spl/tests/gh16589.phpt
@@ -0,0 +1,23 @@
+--TEST--
+GH-16589 (UAF in SplDoublyLinked->serialize())
+--CREDITS--
+chibinz
+--FILE--
+<?php
+
+class C {
+    function __serialize(): array {
+        global $list;
+        $list->pop();
+        return [];
+    }
+}
+
+$list = new SplDoublyLinkedList;
+$list->add(0, new C);
+$list->add(1, 1);
+var_dump($list->serialize());
+
+?>
+--EXPECT--
+string(17) "i:0;:O:1:"C":0:{}"