Merge branch 'PHP-8.4' into PHP-8.5

* PHP-8.4:
  Fix GH-20856: heap-use-after-free in SplDoublyLinkedList iterator when modifying during iteration

NEWS

@@ -24,6 +24,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-18139 (Memory leak when overriding some settings
     via readline_info()). (ndossche)
 
+- SPL:
+  . Fixed bug GH-20856 (heap-use-after-free in SplDoublyLinkedList iterator
+    when modifying during iteration). (ndossche)
+
 - Standard:
   . Fixed bug #74357 (lchown fails to change ownership of symlink with ZTS)
     (Jakub Zelenka)

ext/spl/spl_dllist.c

@@ -764,11 +764,10 @@ PHP_METHOD(SplDoublyLinkedList, offsetUnset)
 	element = spl_ptr_llist_offset(intern->llist, index, intern->flags & SPL_DLLIST_IT_LIFO);
 
 	if (element != NULL) {
-		/* connect the neighbors */
+		/* disconnect the neighbours */
 		if (element->prev) {
 			element->prev->next = element->next;
 		}
-
 		if (element->next) {
 			element->next->prev = element->prev;
 		}
@@ -782,6 +781,10 @@ PHP_METHOD(SplDoublyLinkedList, offsetUnset)
 			llist->tail = element->prev;
 		}
 
+		/* Keep consistency if element is kept alive. */
+		element->prev = NULL;
+		element->next = NULL;
+
 		/* finally, delete the element */
 		llist->count--;
 

ext/spl/tests/gh20856.phpt

@@ -0,0 +1,26 @@
+--TEST--
+GH-20856 (heap-use-after-free in SplDoublyLinkedList iterator when modifying during iteration)
+--CREDITS--
+vi3tL0u1s
+iluuu1994
+--FILE--
+<?php
+$m = new SplStack;
+$m[] = new stdClass;
+$m[] = new stdClass;
+
+foreach ($m as $l) {
+    unset($m[0]);
+    unset($m[0]);
+}
+
+var_dump($m);
+?>
+--EXPECTF--
+object(SplStack)#%d (%d) {
+  ["flags":"SplDoublyLinkedList":private]=>
+  int(6)
+  ["dllist":"SplDoublyLinkedList":private]=>
+  array(0) {
+  }
+}