Fix use-after-free in SplObjectStorage::setInfo()

Fixes GH-16479
Closes GH-16482

NEWS

@@ -70,6 +70,7 @@ PHP                                                                        NEWS
   . Fixed bug GH-16337 (Use-after-free in SplHeap). (nielsdos)
   . Fixed bug GH-16464 (Use-after-free in SplDoublyLinkedList::offsetSet()).
     (ilutov)
+  . Fixed bug GH-16479 (Use-after-free in SplObjectStorage::setInfo()). (ilutov)
 
 - Standard:
   . Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with

ext/spl/spl_observer.c

@@ -746,8 +746,10 @@ PHP_METHOD(SplObjectStorage, setInfo)
 	if ((element = zend_hash_get_current_data_ptr_ex(&intern->storage, &intern->pos)) == NULL) {
 		RETURN_NULL();
 	}
-	zval_ptr_dtor(&element->inf);
+	zval garbage;
+	ZVAL_COPY_VALUE(&garbage, &element->inf);
 	ZVAL_COPY(&element->inf, inf);
+	zval_ptr_dtor(&garbage);
 } /* }}} */
 
 /* {{{ Moves position forward */

ext/spl/tests/gh16479.phpt

@@ -0,0 +1,25 @@
+--TEST--
+GH-16479: Use-after-free in SplObjectStorage::setInfo()
+--FILE--
+<?php
+
+class C {
+    function __destruct() {
+        global $store;
+        $store->removeAll($store);
+    }
+}
+
+$o = new stdClass;
+$store = new SplObjectStorage;
+$store[$o] = new C;
+$store->setInfo(1);
+var_dump($store);
+
+?>
+--EXPECT--
+object(SplObjectStorage)#2 (1) {
+  ["storage":"SplObjectStorage":private]=>
+  array(0) {
+  }
+}