Merge branch 'PHP-8.2' into PHP-8.3

* PHP-8.2: Fix uaf in SplDoublyLinkedList::offsetSet()
2026-03-24 00:02:20 +01:00 · 2024-10-16 23:05:15 +02:00
parent 931762c626 8820a10360
commit e5d837ca79
3 changed files with 34 additions and 1 deletions
--- a/2
+++ b/2
@@ -74,6 +74,8 @@ PHP                                                                        NEWS

 - SPL:
  . Fixed bug GH-16337 (Use-after-free in SplHeap). (nielsdos)
+  . Fixed bug GH-16464 (Use-after-free in SplDoublyLinkedList::offsetSet()).
+    (ilutov)

 - Standard:
  . Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -736,8 +736,10 @@ PHP_METHOD(SplDoublyLinkedList, offsetSet)
 		if (element != NULL) {
 			/* the element is replaced, delref the old one as in
 			 * SplDoublyLinkedList::pop() */
-			zval_ptr_dtor(&element->data);
+			zval garbage;
+			ZVAL_COPY_VALUE(&garbage, &element->data);
 			ZVAL_COPY(&element->data, value);
+			zval_ptr_dtor(&garbage);
 		} else {
 			zval_ptr_dtor(value);
 			zend_argument_error(spl_ce_OutOfRangeException, 1, "is an invalid offset");
--- a/ext/spl/tests/gh16464.phpt
+++ b/ext/spl/tests/gh16464.phpt
@@ -0,0 +1,29 @@
+--TEST--
+GH-16464: Use-after-free in SplDoublyLinkedList::offsetSet() when modifying list in destructor of overwritten object
+--FILE--
+<?php
+
+class C {
+    public $a;
+
+    function __destruct() {
+        global $list;
+        var_dump($list->pop());
+    }
+}
+
+$list = new SplDoublyLinkedList;
+$list->add(0, new C);
+$list[0] = 42;
+var_dump($list);
+
+?>
+--EXPECTF--
+int(42)
+object(SplDoublyLinkedList)#%d (2) {
+  ["flags":"SplDoublyLinkedList":private]=>
+  int(0)
+  ["dllist":"SplDoublyLinkedList":private]=>
+  array(0) {
+  }
+}