Merge branch 'PHP-7.4' into PHP-8.0

* PHP-7.4:
  Fix #80663: Recursive SplFixedArray::setSize() may cause double-free

Author: cmb69

NEWS

@@ -28,6 +28,10 @@ PHP                                                                        NEWS
 - PCRE:
   . Fixed bug #81424 (PCRE2 10.35 JIT performance regression). (cmb)
 
+- SPL:
+  . Fixed bug #80663 (Recursive SplFixedArray::setSize() may cause double-free).
+    (cmb, Nikita, Tyson Andre)
+
 - XML:
   . Fixed bug #70962 (XML_OPTION_SKIP_WHITE strips embedded whitespace).
     (Aliaksandr Bystry, cmb)

ext/spl/spl_fixedarray.c

@@ -149,10 +149,14 @@ static void spl_fixedarray_dtor_range(spl_fixedarray *array, zend_long from, zen
  */
 static void spl_fixedarray_dtor(spl_fixedarray *array)
 {
-	zend_long size = array->size;
 	if (!spl_fixedarray_empty(array)) {
-		spl_fixedarray_dtor_range(array, 0, size);
-		efree(array->elements);
+		zval *begin = array->elements, *end = array->elements + array->size;
+		array->elements = NULL;
+		array->size = 0;
+		while (begin != end) {
+			zval_ptr_dtor(--end);
+		}
+		efree(begin);
 	}
 }
 

ext/spl/tests/bug80663.phpt

@@ -0,0 +1,15 @@
+--TEST--
+Bug #80663 (Recursive SplFixedArray::setSize() may cause double-free)
+--FILE--
+<?php
+class InvalidDestructor {
+    public function __destruct() {
+        $GLOBALS['obj']->setSize(0);
+    }
+}
+
+$obj = new SplFixedArray(1000);
+$obj[0] = new InvalidDestructor();
+$obj->setSize(0);
+?>
+--EXPECT--