Merge branch 'PHP-8.4'

* PHP-8.4: Fix use-after-free in SplObjectStorage::setInfo()
2026-03-24 00:02:20 +01:00 · 2024-10-17 18:21:57 +02:00
parent 84d6cb8cf0 6d6b20f561
commit 9cb0f03808
2 changed files with 28 additions and 1 deletions
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -739,8 +739,10 @@ PHP_METHOD(SplObjectStorage, setInfo)
 	if ((element = zend_hash_get_current_data_ptr_ex(&intern->storage, &intern->pos)) == NULL) {
 		RETURN_NULL();
 	}
-	zval_ptr_dtor(&element->inf);
+	zval garbage;
+	ZVAL_COPY_VALUE(&garbage, &element->inf);
 	ZVAL_COPY(&element->inf, inf);
+	zval_ptr_dtor(&garbage);
 } /* }}} */

 /* {{{ Moves position forward */
--- a/ext/spl/tests/gh16479.phpt
+++ b/ext/spl/tests/gh16479.phpt
@@ -0,0 +1,25 @@
+--TEST--
+GH-16479: Use-after-free in SplObjectStorage::setInfo()
+--FILE--
+<?php
+
+class C {
+    function __destruct() {
+        global $store;
+        $store->removeAll($store);
+    }
+}
+
+$o = new stdClass;
+$store = new SplObjectStorage;
+$store[$o] = new C;
+$store->setInfo(1);
+var_dump($store);
+
+?>
+--EXPECT--
+object(SplObjectStorage)#2 (1) {
+  ["storage":"SplObjectStorage":private]=>
+  array(0) {
+  }
+}