From 7fe168d85508c14ee1dd531b882363a8cc287f21 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Thu, 17 Oct 2024 16:06:05 +0200
Subject: [PATCH] Fix uaf in SplFixedArray::unset()

Fixes GH-16478
Closes GH-16481
---
 NEWS                       |  1 +
 ext/spl/spl_fixedarray.c   |  4 +++-
 ext/spl/tests/gh16478.phpt | 21 +++++++++++++++++++++
 3 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 ext/spl/tests/gh16478.phpt

diff --git a/NEWS b/NEWS
index d173e4c1418..b8ba02ad624 100644
--- a/NEWS
+++ b/NEWS
@@ -71,6 +71,7 @@ PHP                                                                        NEWS
   . Fixed bug GH-16464 (Use-after-free in SplDoublyLinkedList::offsetSet()).
     (ilutov)
   . Fixed bug GH-16479 (Use-after-free in SplObjectStorage::setInfo()). (ilutov)
+  . Fixed bug GH-16478 (Use-after-free in SplFixedArray::unset()). (ilutov)
 
 - Standard:
   . Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with
diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
index 7c08a189c6f..bbee2b93706 100644
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -484,8 +484,10 @@ static void spl_fixedarray_object_unset_dimension_helper(spl_fixedarray_object *
 		return;
 	} else {
 		intern->array.should_rebuild_properties = true;
-		zval_ptr_dtor(&(intern->array.elements[index]));
+		zval garbage;
+		ZVAL_COPY_VALUE(&garbage, &intern->array.elements[index]);
 		ZVAL_NULL(&intern->array.elements[index]);
+		zval_ptr_dtor(&garbage);
 	}
 }
 
diff --git a/ext/spl/tests/gh16478.phpt b/ext/spl/tests/gh16478.phpt
new file mode 100644
index 00000000000..5a708b36fe8
--- /dev/null
+++ b/ext/spl/tests/gh16478.phpt
@@ -0,0 +1,21 @@
+--TEST--
+GH-16478: Use-after-free in SplFixedArray::unset()
+--FILE--
+<?php
+
+class C {
+    function __destruct() {
+        global $arr;
+        $arr->setSize(0);
+    }
+}
+
+$arr = new SplFixedArray(2);
+$arr[0] = new C;
+unset($arr[0]);
+var_dump($arr);
+
+?>
+--EXPECT--
+object(SplFixedArray)#1 (0) {
+}