Fix GH-16054: Segmentation fault when resizing hash table iterator list while adding

nielsdos · nielsdos · commit fdd6ba62bb9c · 2024-09-25T21:05:05.000+02:00
zend_array_dup_ht_iterators() loops over the hash table iterators and can call zend_hash_iterator_add(). zend_hash_iterator_add() can resize the array causing a crash in zend_array_dup_ht_iterators(). We solve this by refetching the iter pointer after an add happened. Closes GH-16060.
diff --git a/NEWS b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.3.13
 
+- Core:
+  . Fixed bug GH-16054 (Segmentation fault when resizing hash table iterator
+    list while adding). (nielsdos)
+
 - DOM:
   . Fixed bug GH-16039 (Segmentation fault (access null pointer) in
     ext/dom/parentnode/tree.c). (nielsdos)
diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c
@@ -2346,17 +2346,20 @@ static zend_always_inline bool zend_array_dup_element(HashTable *source, HashTab
 
 // We need to duplicate iterators to be able to search through all copy-on-write copies to find the actually iterated HashTable and position back
 static void zend_array_dup_ht_iterators(HashTable *source, HashTable *target) {
-	HashTableIterator *iter = EG(ht_iterators);
-	HashTableIterator *end  = iter + EG(ht_iterators_used);
+	uint32_t iter_index = 0;
+	uint32_t end_index = EG(ht_iterators_used);
 
-	while (iter != end) {
+	while (iter_index != end_index) {
+		HashTableIterator *iter = &EG(ht_iterators)[iter_index];
 		if (iter->ht == source) {
 			uint32_t copy_idx = zend_hash_iterator_add(target, iter->pos);
+			/* Refetch iter because the memory may be reallocated. */
+			iter = &EG(ht_iterators)[iter_index];
 			HashTableIterator *copy_iter = EG(ht_iterators) + copy_idx;
 			copy_iter->next_copy = iter->next_copy;
 			iter->next_copy = copy_idx;
 		}
-		iter++;
+		iter_index++;
 	}
 }
 
diff --git a/ext/spl/tests/gh16054.phpt b/ext/spl/tests/gh16054.phpt
@@ -0,0 +1,15 @@
+--TEST--
+GH-16054 (Segmentation fault when resizing hash table iterator list while adding)
+--FILE--
+<?php
+$multi_array = ['zero'];
+$multi_array[] =& $multi_array;
+$it = new RecursiveTreeIterator(new RecursiveArrayIterator($multi_array), 0);
+$counter = 0;
+foreach ($it as $k => $v) {
+    if (++$counter > 200) break;
+}
+echo "ok\n";
+?>
+--EXPECT--
+ok
