Merge branch 'PHP-8.4'

* PHP-8.4: Fix uaf in SplDoublyLinkedList::offsetSet()
2025-08-15 21:48:51 +02:00 · 2024-10-16 23:05:55 +02:00 · 2024-10-16 23:05:55 +02:00 · 1a2b370ad6
commit 1a2b370ad6
parent ec152105f2 d15e227750
2 changed files with 32 additions and 1 deletions
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@ -726,8 +726,10 @@ PHP_METHOD(SplDoublyLinkedList, offsetSet)
 		if (element != NULL) {
 			/* the element is replaced, delref the old one as in
 			 * SplDoublyLinkedList::pop() */
-			zval_ptr_dtor(&element->data);
+			zval garbage;
+			ZVAL_COPY_VALUE(&garbage, &element->data);
 			ZVAL_COPY(&element->data, value);
+			zval_ptr_dtor(&garbage);
 		} else {
 			zval_ptr_dtor(value);
 			zend_argument_error(spl_ce_OutOfRangeException, 1, "is an invalid offset");
--- a/ext/spl/tests/gh16464.phpt
+++ b/ext/spl/tests/gh16464.phpt
@ -0,0 +1,29 @@
+--TEST--
+GH-16464: Use-after-free in SplDoublyLinkedList::offsetSet() when modifying list in destructor of overwritten object
+--FILE--
+<?php
+
+class C {
+    public $a;
+
+    function __destruct() {
+        global $list;
+        var_dump($list->pop());
+    }
+}
+
+$list = new SplDoublyLinkedList;
+$list->add(0, new C);
+$list[0] = 42;
+var_dump($list);
+
+?>
+--EXPECTF--
+int(42)
+object(SplDoublyLinkedList)#%d (2) {
+  ["flags":"SplDoublyLinkedList":private]=>
+  int(0)
+  ["dllist":"SplDoublyLinkedList":private]=>
+  array(0) {
+  }
+}