From 70d24d30118f24adffffd2d159ca3d144dd8b428 Mon Sep 17 00:00:00 2001
From: Zhou Qingyang <zhou1615@umn.edu>
Date: Tue, 29 Mar 2022 23:37:18 +0800
Subject: [PATCH] Fix a NULL pointer dereference of spl_ptr_llist_offset()

spl_ptr_llist_offset() will return NULL when offset is invalid. However
in the function zim_SplDoublyLinkedList_add(), the return value of
spl_ptr_llist_offset() is directly used without check, which could
lead to possible NULL pointer dereference.

Fix this bug by adding the check of spl_ptr_llist_offset() like others.

This bug is found by a static analyzer, making it hard to reproduce.
---
 ext/spl/spl_dllist.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
index c576104139315..c6a022e8b7f7f 100644
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -1257,6 +1257,7 @@ PHP_METHOD(SplDoublyLinkedList, add)
 
 		/* Get the element we want to insert before */
 		element = spl_ptr_llist_offset(intern->llist, index, intern->flags & SPL_DLLIST_IT_LIFO);
+		ZEND_ASSERT(element != NULL);
 
 		ZVAL_COPY_VALUE(&elem->data, value);
 		SPL_LLIST_RC(elem) = 1;