Merge branch 'PHP-7.4'

nikic · nikic · commit 60f62359a06b · 2020-01-23T14:21:21.000+01:00
* PHP-7.4:
  Fixed bug #79151
diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
@@ -255,6 +255,7 @@ static void spl_ptr_llist_pop(spl_ptr_llist *llist, zval *ret) /* {{{ */
 	llist->count--;
 	ZVAL_COPY(ret, &tail->data);
 
+	tail->prev = NULL;
 	if (llist->dtor) {
 		llist->dtor(tail);
 	}
@@ -308,6 +309,7 @@ static void spl_ptr_llist_shift(spl_ptr_llist *llist, zval *ret) /* {{{ */
 	llist->count--;
 	ZVAL_COPY(ret, &head->data);
 
+	head->next = NULL;
 	if (llist->dtor) {
 		llist->dtor(head);
 	}
diff --git a/ext/spl/tests/bug79151.phpt b/ext/spl/tests/bug79151.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #79151: heap use after free caused by spl_dllist_it_helper_move_forward
+--FILE--
+<?php
+
+$a = new SplDoublyLinkedList();
+$a->setIteratorMode(SplDoublyLinkedList::IT_MODE_LIFO | SplDoublyLinkedList::IT_MODE_DELETE);
+$a->push(1);
+$a->rewind();
+$a->unshift(2);
+var_dump($a->pop());
+var_dump($a->next());
+
+$a = new SplDoublyLinkedList();
+$a->setIteratorMode(SplDoublyLinkedList::IT_MODE_FIFO | SplDoublyLinkedList::IT_MODE_DELETE);
+$a->unshift(1);
+$a->rewind();
+$a->push(2);
+var_dump($a->shift());
+var_dump($a->next());
+
+?>
+--EXPECT--
+int(1)
+NULL
+int(1)
+NULL

Original file line number	Diff line number	Diff line change
`@@ -255,6 +255,7 @@ static void spl_ptr_llist_pop(spl_ptr_llist llist, zval ret) /* {{{ */`
`255`	`255`	`llist->count--;`
`256`	`256`	`ZVAL_COPY(ret, &tail->data);`
`257`	`257`
	`258`	`+ tail->prev = NULL;`
`258`	`259`	`if (llist->dtor) {`
`259`	`260`	`llist->dtor(tail);`
`260`	`261`	`}`
`@@ -308,6 +309,7 @@ static void spl_ptr_llist_shift(spl_ptr_llist llist, zval ret) /* {{{ */`
`308`	`309`	`llist->count--;`
`309`	`310`	`ZVAL_COPY(ret, &head->data);`
`310`	`311`
	`312`	`+ head->next = NULL;`
`311`	`313`	`if (llist->dtor) {`
`312`	`314`	`llist->dtor(head);`
`313`	`315`	`}`