Add a unlink check for php_stream_bucket_unlink

This is in the same spirit as php#13943: low-hanging,
not in a hot-path, trivial, removing a limited-linear-write → arbitrary-write
primitive, … moreover, given how many filters are available, having some
low-hanging hardening there shouldn't hurt.

cc @arnaud-lb

Author: jvoisin

main/streams/filter.c

@@ -192,11 +192,17 @@ PHPAPI void php_stream_bucket_append(php_stream_bucket_brigade *brigade, php_str
 PHPAPI void php_stream_bucket_unlink(php_stream_bucket *bucket)
 {
 	if (bucket->prev) {
+		if (bucket->prev->next != bucket) {
+			zend_error_noreturn(E_ERROR, "Stream bucket list corruption.");
+		}
 		bucket->prev->next = bucket->next;
 	} else if (bucket->brigade) {
 		bucket->brigade->head = bucket->next;
 	}
 	if (bucket->next) {
+		if (bucket->next->prev != bucket) {
+			zend_error_noreturn(E_ERROR, "Stream bucket list corruption.");
+		}
 		bucket->next->prev = bucket->prev;
 	} else if (bucket->brigade) {
 		bucket->brigade->tail = bucket->prev;