Fix phpGH-22062: SplDoublyLinkedList iterator UAF via destructor releasing next node.

devnexen · devnexen · commit d6b7bd0f778c · 2026-05-18T20:21:30.000+01:00
Pin the new traverse target via SPL_LLIST_CHECK_ADDREF before the shift/pop destructor runs. Otherwise a destructor that unlinks the next node (e.g. offsetUnset) frees it, leaving the iterator with a dangling pointer. close phpGH-22066
diff --git a/NEWS b/NEWS
@@ -181,6 +181,8 @@ PHP                                                                        NEWS
     with re-entrant getHash()). (Pratik Bhujel)
   . Fix bugs GH-8561, GH-8562, GH-8563, and GH-8564 (Fixing various
     SplFileObject iterator desync bugs). (iliaal)
+  . Fix bug GH-22062 (SplDoublyLinkedList iterator UAF
+    via destructor releasing next node). (David Carlier)
 
 - Sqlite3:
   . Fix NUL byte truncation in sqlite3 TEXT column handling. (ndossche)
diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
@@ -798,6 +798,7 @@ static void spl_dllist_it_helper_move_forward(spl_ptr_llist_element **traverse_p
 
 		if (flags & SPL_DLLIST_IT_LIFO) {
 			*traverse_pointer_ptr = old->prev;
+			SPL_LLIST_CHECK_ADDREF(*traverse_pointer_ptr);
 			(*traverse_position_ptr)--;
 
 			if (flags & SPL_DLLIST_IT_DELETE) {
@@ -808,6 +809,7 @@ static void spl_dllist_it_helper_move_forward(spl_ptr_llist_element **traverse_p
 			}
 		} else {
 			*traverse_pointer_ptr = old->next;
+			SPL_LLIST_CHECK_ADDREF(*traverse_pointer_ptr);
 
 			if (flags & SPL_DLLIST_IT_DELETE) {
 				zval prev;
@@ -820,7 +822,6 @@ static void spl_dllist_it_helper_move_forward(spl_ptr_llist_element **traverse_p
 		}
 
 		SPL_LLIST_DELREF(old);
-		SPL_LLIST_CHECK_ADDREF(*traverse_pointer_ptr);
 	}
 }
 /* }}} */
diff --git a/ext/spl/tests/gh22062.phpt b/ext/spl/tests/gh22062.phpt
@@ -0,0 +1,29 @@
+--TEST--
+GH-22062 (SplDoublyLinkedList iterator UAF via destructor releasing next node)
+--FILE--
+<?php
+$list = new SplDoublyLinkedList();
+$list->setIteratorMode(
+    SplDoublyLinkedList::IT_MODE_FIFO |
+    SplDoublyLinkedList::IT_MODE_DELETE
+);
+
+$list->push(new class($list) {
+    public function __construct(private SplDoublyLinkedList $list) {}
+    public function __destruct() {
+        if ($this->list->count() > 0) {
+            $this->list->offsetUnset(0);
+        }
+    }
+});
+
+$list->push(new stdClass());
+
+foreach ($list as $item) {
+    unset($item);
+}
+
+var_dump($list->count());
+?>
+--EXPECT--
+int(0)

Original file line number	Diff line number	Diff line change
`@@ -798,6 +798,7 @@ static void spl_dllist_it_helper_move_forward(spl_ptr_llist_element **traverse_p`
`798`	`798`
`799`	`799`	`if (flags & SPL_DLLIST_IT_LIFO) {`
`800`	`800`	`*traverse_pointer_ptr = old->prev;`
	`801`	`+ SPL_LLIST_CHECK_ADDREF(*traverse_pointer_ptr);`
`801`	`802`	`(*traverse_position_ptr)--;`
`802`	`803`
`803`	`804`	`if (flags & SPL_DLLIST_IT_DELETE) {`
`@@ -808,6 +809,7 @@ static void spl_dllist_it_helper_move_forward(spl_ptr_llist_element **traverse_p`
`808`	`809`	`}`
`809`	`810`	`} else {`
`810`	`811`	`*traverse_pointer_ptr = old->next;`
	`812`	`+ SPL_LLIST_CHECK_ADDREF(*traverse_pointer_ptr);`
`811`	`813`
`812`	`814`	`if (flags & SPL_DLLIST_IT_DELETE) {`
`813`	`815`	`zval prev;`
`@@ -820,7 +822,6 @@ static void spl_dllist_it_helper_move_forward(spl_ptr_llist_element **traverse_p`
`820`	`822`	`}`
`821`	`823`
`822`	`824`	`SPL_LLIST_DELREF(old);`
`823`		`- SPL_LLIST_CHECK_ADDREF(*traverse_pointer_ptr);`
`824`	`825`	`}`
`825`	`826`	`}`
`826`	`827`	`/* }}} */`