From 76af5a9e3aff0c9d9f94c61b100081cab8b3e267 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 12 Apr 2025 00:57:48 +0200 Subject: [PATCH] Fix GlobIterator without constructor breaks count() As reported by OpenAI AARDVARK. --- ext/spl/spl_directory.c | 12 ++++++------ ext/spl/tests/GlobIterator_constructor_count.phpt | 14 ++++++++++++++ 2 files changed, 20 insertions(+), 6 deletions(-) create mode 100644 ext/spl/tests/GlobIterator_constructor_count.phpt diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c index 461bdc1e901ec..751000fe63004 100644 --- a/ext/spl/spl_directory.c +++ b/ext/spl/spl_directory.c @@ -1599,12 +1599,12 @@ PHP_METHOD(GlobIterator, count) RETURN_THROWS(); } - /* The spl_filesystem_object_get_method_check() function is called prior to calling this function. - * Therefore, the directory entry cannot be NULL. However, if it is not NULL, then it must be a glob iterator - * by construction. */ - ZEND_ASSERT(spl_intern_is_glob(intern)); - - RETURN_LONG(php_glob_stream_get_count(intern->u.dir.dirp, NULL)); + if (EXPECTED(spl_intern_is_glob(intern))) { + RETURN_LONG(php_glob_stream_get_count(intern->u.dir.dirp, NULL)); + } else { + /* This can happen by avoiding constructors in specially-crafted code. */ + zend_throw_error(NULL, "GlobIterator is not initialized"); + } } /* }}} */ #endif /* HAVE_GLOB */ diff --git a/ext/spl/tests/GlobIterator_constructor_count.phpt b/ext/spl/tests/GlobIterator_constructor_count.phpt new file mode 100644 index 0000000000000..5f96be6219d62 --- /dev/null +++ b/ext/spl/tests/GlobIterator_constructor_count.phpt @@ -0,0 +1,14 @@ +--TEST-- +GlobIterator without constructor breaks count() +--FILE-- +newInstanceWithoutConstructor(); +try { + count($in); +} catch (Error $e) { + echo $e->getMessage(), "\n"; +} +?> +--EXPECT-- +GlobIterator is not initialized