Merge branch 'PHP-8.4'

nielsdos · nielsdos · commit e035a957237a · 2024-09-25T21:09:11.000+02:00
* PHP-8.4: Fix GH-16054: Segmentation fault when resizing hash table iterator list while adding
diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c
@@ -2345,17 +2345,20 @@ static zend_always_inline bool zend_array_dup_element(const HashTable *source, H
 
 // We need to duplicate iterators to be able to search through all copy-on-write copies to find the actually iterated HashTable and position back
 static void zend_array_dup_ht_iterators(const HashTable *source, HashTable *target) {
-	HashTableIterator *iter = EG(ht_iterators);
-	const HashTableIterator *end = iter + EG(ht_iterators_used);
+	uint32_t iter_index = 0;
+	uint32_t end_index = EG(ht_iterators_used);
 
-	while (iter != end) {
+	while (iter_index != end_index) {
+		HashTableIterator *iter = &EG(ht_iterators)[iter_index];
 		if (iter->ht == source) {
 			uint32_t copy_idx = zend_hash_iterator_add(target, iter->pos);
+			/* Refetch iter because the memory may be reallocated. */
+			iter = &EG(ht_iterators)[iter_index];
 			HashTableIterator *copy_iter = EG(ht_iterators) + copy_idx;
 			copy_iter->next_copy = iter->next_copy;
 			iter->next_copy = copy_idx;
 		}
-		iter++;
+		iter_index++;
 	}
 }
 
diff --git a/ext/spl/tests/gh16054.phpt b/ext/spl/tests/gh16054.phpt
@@ -0,0 +1,15 @@
+--TEST--
+GH-16054 (Segmentation fault when resizing hash table iterator list while adding)
+--FILE--
+<?php
+$multi_array = ['zero'];
+$multi_array[] =& $multi_array;
+$it = new RecursiveTreeIterator(new RecursiveArrayIterator($multi_array), 0);
+$counter = 0;
+foreach ($it as $k => $v) {
+    if (++$counter > 200) break;
+}
+echo "ok\n";
+?>
+--EXPECT--
+ok
