Merge branch 'PHP-7.3' into PHP-7.4

nikic · nikic · commit 3f020aef85f1 · 2020-01-23T14:21:14.000+01:00
* PHP-7.3:
  Fixed bug #79151
diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
@@ -257,6 +257,7 @@ static void spl_ptr_llist_pop(spl_ptr_llist *llist, zval *ret) /* {{{ */
 	llist->count--;
 	ZVAL_COPY(ret, &tail->data);
 
+	tail->prev = NULL;
 	if (llist->dtor) {
 		llist->dtor(tail);
 	}
@@ -310,6 +311,7 @@ static void spl_ptr_llist_shift(spl_ptr_llist *llist, zval *ret) /* {{{ */
 	llist->count--;
 	ZVAL_COPY(ret, &head->data);
 
+	head->next = NULL;
 	if (llist->dtor) {
 		llist->dtor(head);
 	}
diff --git a/ext/spl/tests/bug79151.phpt b/ext/spl/tests/bug79151.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #79151: heap use after free caused by spl_dllist_it_helper_move_forward
+--FILE--
+<?php
+
+$a = new SplDoublyLinkedList();
+$a->setIteratorMode(SplDoublyLinkedList::IT_MODE_LIFO | SplDoublyLinkedList::IT_MODE_DELETE);
+$a->push(1);
+$a->rewind();
+$a->unshift(2);
+var_dump($a->pop());
+var_dump($a->next());
+
+$a = new SplDoublyLinkedList();
+$a->setIteratorMode(SplDoublyLinkedList::IT_MODE_FIFO | SplDoublyLinkedList::IT_MODE_DELETE);
+$a->unshift(1);
+$a->rewind();
+$a->push(2);
+var_dump($a->shift());
+var_dump($a->next());
+
+?>
+--EXPECT--
+int(1)
+NULL
+int(1)
+NULL

Original file line number	Diff line number	Diff line change
`@@ -257,6 +257,7 @@ static void spl_ptr_llist_pop(spl_ptr_llist llist, zval ret) /* {{{ */`
`257`	`257`	`llist->count--;`
`258`	`258`	`ZVAL_COPY(ret, &tail->data);`
`259`	`259`
	`260`	`+ tail->prev = NULL;`
`260`	`261`	`if (llist->dtor) {`
`261`	`262`	`llist->dtor(tail);`
`262`	`263`	`}`
`@@ -310,6 +311,7 @@ static void spl_ptr_llist_shift(spl_ptr_llist llist, zval ret) /* {{{ */`
`310`	`311`	`llist->count--;`
`311`	`312`	`ZVAL_COPY(ret, &head->data);`
`312`	`313`
	`314`	`+ head->next = NULL;`
`313`	`315`	`if (llist->dtor) {`
`314`	`316`	`llist->dtor(head);`
`315`	`317`	`}`