diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2021-03-01 16:20:31 +0100 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2021-03-01 16:22:11 +0100 |
commit | 2c508c4d407e98a27ed2631ae88e2e10ee430003 (patch) | |
tree | 35cd4ff437a1d3d581f8dc7674b15bbb3117e6fb /Zend | |
parent | e8579365181d8e61c00968715ed8be5ec151002d (diff) | |
download | php-git-2c508c4d407e98a27ed2631ae88e2e10ee430003.tar.gz |
Always remove HT iterators, even for uninit HT
Fixes oss-fuzz #31423.
Diffstat (limited to 'Zend')
-rw-r--r-- | Zend/tests/array_splice_empty_ht_iter_removal.phpt | 15 | ||||
-rw-r--r-- | Zend/zend_hash.c | 2 |
2 files changed, 16 insertions, 1 deletions
diff --git a/Zend/tests/array_splice_empty_ht_iter_removal.phpt b/Zend/tests/array_splice_empty_ht_iter_removal.phpt new file mode 100644 index 0000000000..1461827bc9 --- /dev/null +++ b/Zend/tests/array_splice_empty_ht_iter_removal.phpt @@ -0,0 +1,15 @@ +--TEST-- +HT iterator should be destroyed if array becomes empty during array_splice +--FILE-- +<?php +$a=[4]; +$i = 0; +foreach ($a as &$r) { + var_dump($r); + $a = array_splice($a, 0); + if (++$i == 2) break; +} +?> +--EXPECT-- +int(4) +int(4) diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c index d35d8afd53..da150bd798 100644 --- a/Zend/zend_hash.c +++ b/Zend/zend_hash.c @@ -1630,10 +1630,10 @@ ZEND_API void ZEND_FASTCALL zend_array_destroy(HashTable *ht) } else if (EXPECTED(HT_FLAGS(ht) & HASH_FLAG_UNINITIALIZED)) { goto free_ht; } - zend_hash_iterators_remove(ht); SET_INCONSISTENT(HT_DESTROYED); efree(HT_GET_DATA_ADDR(ht)); free_ht: + zend_hash_iterators_remove(ht); FREE_HASHTABLE(ht); } |