Fix GH-18018: RC1 data returned from offsetGet causes UAF in ArrayObject

We should first check truthiness and only after that destroy the value.

Closes GH-18034.

NEWS

@@ -20,6 +20,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-17989 (mb_output_handler crash with unset
     http_output_conv_mimetypes). (nielsdos)
 
+- SPL:
+  . Fixed bug GH-18018 (RC1 data returned from offsetGet causes UAF in
+    ArrayObject). (nielsdos)
+
 - Treewide:
   . Fixed bug GH-17736 (Assertion failure zend_reference_destroy()). (nielsdos)
 

ext/spl/spl_array.c

@@ -641,12 +641,14 @@ static bool spl_array_has_dimension_ex(bool check_inherited, zend_object *object
 		}
 	}
 
+	/* empty() check the value is not falsy, isset() only check it is not null */
+	bool result = check_empty ? zend_is_true(value) : Z_TYPE_P(value) != IS_NULL;
+
 	if (value == &rv) {
 		zval_ptr_dtor(&rv);
 	}
 
-	/* empty() check the value is not falsy, isset() only check it is not null */
+	return result;
-	return check_empty ? zend_is_true(value) : Z_TYPE_P(value) != IS_NULL;
 } /* }}} */
 
 static int spl_array_has_dimension(zend_object *object, zval *offset, int check_empty) /* {{{ */

ext/spl/tests/gh18018.phpt

@@ -0,0 +1,20 @@
+--TEST--
+GH-18018 (RC1 data returned from offsetGet causes UAF in ArrayObject)
+--FILE--
+<?php
+class Crap extends ArrayObject
+{
+    public function offsetGet($offset): mixed
+    {
+        return [random_int(1,1)];
+    }
+}
+
+$values = ['qux' => 1];
+
+$object = new Crap($values);
+
+var_dump(empty($object['qux']));
+?>
+--EXPECT--
+bool(false)