Fixes infinite recursion introduced by patch to SplFixedArray

TysonAndre · TysonAndre · commit d55c30eb0259 · 2022-02-15T19:59:41.000-05:00
Closes GH-8079 Under most circumstances, the zend_hash_index_update is setting the value to itself when the hash table's reference count is already 2
diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
@@ -199,6 +199,55 @@ static HashTable* spl_fixedarray_object_get_gc(zend_object *obj, zval **table, i
 	return ht;
 }
 
+static zend_bool spl_fixedarray_shallow_identical(zval *v1, zval *v2)
+{
+	if (Z_TYPE_P(v1) != Z_TYPE_P(v2)) {
+		return false;
+	}
+	switch (Z_TYPE_P(v1)) {
+		case IS_NULL:
+		case IS_FALSE:
+		case IS_TRUE:
+			return true;
+		case IS_LONG:
+			return Z_LVAL_P(v1) == Z_LVAL_P(v2);
+		case IS_DOUBLE: {
+			double d1 = Z_DVAL_P(v1);
+			double d2 = Z_DVAL_P(v2);
+			/* Also check for NAN */
+			return d1 == d2 || (d1 != d1 && d2 != d2);
+		}
+		case IS_STRING:
+			return Z_STR_P(v1) == Z_STR_P(v2); /* Same pointer */
+		case IS_ARRAY:
+			return Z_ARR_P(v1) == Z_ARR_P(v2); /* Same pointer */
+		case IS_OBJECT:
+			return Z_OBJ_P(v1) == Z_OBJ_P(v2);
+		case IS_RESOURCE:
+			return Z_RES_P(v1) == Z_RES_P(v2);
+		default:
+			return false;
+	}
+}
+
+static zend_bool spl_fixedarray_object_needs_rebuild(spl_fixedarray_object *intern, HashTable *ht, zend_long j)
+{
+	for (zend_long i = 0; i < intern->array.size; i++) {
+		zval *old = zend_hash_index_find(ht, i);
+		if (old == NULL || !spl_fixedarray_shallow_identical(&intern->array.elements[i], old)) {
+			return true;
+		}
+	}
+	if (j > intern->array.size) {
+		for (zend_long i = intern->array.size; i < j; ++i) {
+			if (zend_hash_index_exists(ht, i)) {
+				return true;
+			}
+		}
+	}
+	return false;
+}
+
 static HashTable* spl_fixedarray_object_get_properties(zend_object *obj)
 {
 	spl_fixedarray_object *intern = spl_fixed_array_from_obj(obj);
@@ -208,6 +257,19 @@ static HashTable* spl_fixedarray_object_get_properties(zend_object *obj)
 		zend_long j = zend_hash_num_elements(ht);
 
 		if (GC_REFCOUNT(ht) > 1) {
+			/*
+			 * Usually, the reference count of the hash table is 1,
+			 * except during cyclic reference cycles.
+			 *
+			 * Attempt to maintain the DEBUG invariant that a hash table isn't modified during iteration.
+			 *
+			 * See https://github.com/php/php-src/issues/8079 and ext/spl/tests/fixedarray_022.phpt
+			 * Also see https://github.com/php/php-src/issues/8044 for alternate considered approaches.
+			 */
+			if (!spl_fixedarray_object_needs_rebuild(intern, ht, j)) {
+				/* Return the same hash table so that recursion cycle detection works in internal functions. */
+				return ht;
+			}
 			intern->std.properties = zend_array_dup(ht);
 			if (!(GC_FLAGS(ht) & GC_IMMUTABLE)) {
 				GC_DELREF(ht);
diff --git a/ext/spl/tests/fixedarray_023.phpt b/ext/spl/tests/fixedarray_023.phpt
@@ -0,0 +1,31 @@
+--TEST--
+SPL: FixedArray: Infinite loop in var_export bugfix
+--FILE--
+<?php
+call_user_func(function () {
+    $x = new SplFixedArray(3);
+    $x[0] = NAN; // Test NAN just in case this check is incorrectly refactored to use zend_is_identical
+    $x[1] = $x;
+    $x[2] = $x;
+    var_export($x);
+    echo "\n";
+    debug_zval_dump($x);
+});
+?>
+--EXPECTF--
+Warning: var_export does not handle circular references in %s on line 7
+
+Warning: var_export does not handle circular references in %s on line 7
+SplFixedArray::__set_state(array(
+   0 => NAN,
+   1 => NULL,
+   2 => NULL,
+))
+object(SplFixedArray)#2 (3) refcount(6){
+  [0]=>
+  float(NAN)
+  [1]=>
+  *RECURSION*
+  [2]=>
+  *RECURSION*
+}
