Merge branch 'PHP-8.1'

cmb69 · cmb69 · commit 9800845d43b5 · 2021-09-28T15:55:40.000+02:00
* PHP-8.1:
  Fix #80663: Recursive SplFixedArray::setSize() may cause double-free
diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
@@ -156,10 +156,14 @@ static void spl_fixedarray_dtor_range(spl_fixedarray *array, zend_long from, zen
  */
 static void spl_fixedarray_dtor(spl_fixedarray *array)
 {
-	zend_long size = array->size;
 	if (!spl_fixedarray_empty(array)) {
-		spl_fixedarray_dtor_range(array, 0, size);
-		efree(array->elements);
+		zval *begin = array->elements, *end = array->elements + array->size;
+		array->elements = NULL;
+		array->size = 0;
+		while (begin != end) {
+			zval_ptr_dtor(--end);
+		}
+		efree(begin);
 	}
 }
 
diff --git a/ext/spl/tests/bug80663.phpt b/ext/spl/tests/bug80663.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #80663 (Recursive SplFixedArray::setSize() may cause double-free)
+--FILE--
+<?php
+class InvalidDestructor {
+    public function __destruct() {
+        $GLOBALS['obj']->setSize(0);
+    }
+}
+
+$obj = new SplFixedArray(1000);
+$obj[0] = new InvalidDestructor();
+$obj->setSize(0);
+?>
+--EXPECT--

Original file line number	Diff line number	Diff line change
`@@ -156,10 +156,14 @@ static void spl_fixedarray_dtor_range(spl_fixedarray *array, zend_long from, zen`
`156`	`156`	`*/`
`157`	`157`	`static void spl_fixedarray_dtor(spl_fixedarray *array)`
`158`	`158`	`{`
`159`		`- zend_long size = array->size;`
`160`	`159`	`if (!spl_fixedarray_empty(array)) {`
`161`		`- spl_fixedarray_dtor_range(array, 0, size);`
`162`		`- efree(array->elements);`
	`160`	`+ zval begin = array->elements, end = array->elements + array->size;`
	`161`	`+ array->elements = NULL;`
	`162`	`+ array->size = 0;`
	`163`	`+ while (begin != end) {`
	`164`	`+ zval_ptr_dtor(--end);`
	`165`	`+ }`
	`166`	`+ efree(begin);`
`163`	`167`	`}`
`164`	`168`	`}`
`165`	`169`