{{ message }}
ext/spl: fix use-after-free in RecursiveIteratorIterator on reentrant…#22496
Open
devnexen wants to merge 1 commit into
Open
ext/spl: fix use-after-free in RecursiveIteratorIterator on reentrant…#22496devnexen wants to merge 1 commit into
devnexen wants to merge 1 commit into
Conversation
Girgias
requested changes
Jun 28, 2026
Girgias
left a comment
Girgias
left a comment
Member
There was a problem hiding this comment.
This is special crafted code, and I would prefer we would throw an exception when trying to call rewind.
The hasChildren() methods should definitely not be faffing around with the state of the object, and getChildren() explicitly mentions of the current item, so rewinding is also not something that should be permitted:
Returns an iterator for the current iterator entry.
hasChildren() and getChildren() must not mutate the iteration state: hasChildren() is a predicate and getChildren() returns an iterator for the *current* item. A reentrant rewind()/next() from within either ran spl_recursive_it_rewind_ex()/move_forward_ex(), which tore down the active levels and erealloc()ed object->iterators under the outer move_forward frame, leaving its cached sub-object and iterators[] dangling (use-after-free). Track that we are inside such a call and throw an Error if rewind()/next() re-enters, instead of silently coping with it. The guard is reset across a bailout so a fatal inside the callback cannot leave the iterator wedged. Follow-up to phpGH-22466, phpGH-22478.
devnexen
force-pushed
the
recursive_iterator_fixes_followup
branch
from
8dd0d10 to
45b6139
Compare
devnexen
requested review from
SakiTakamachi,
TimWolla,
adoy,
arnaud-lb,
derickr,
dstogov and
kocsismate
as code owners
github-actions
Bot
added
Category: Build System
Category: Engine
Extension: bcmath
Extension: bz2
Extension: calendar
Extension: com_dotnet
Extension: ctype
Extension: curl
Extension: date
Extension: dba
Extension: dom
Extension: enchant
Extension: exif
Extension: ffi
Category: Optimizer
Category: CI
ABI break
labels
devnexen
removed
Category: Build System
Category: Engine
Extension: bcmath
Extension: bz2
Extension: calendar
Extension: com_dotnet
Extension: ctype
Extension: curl
Extension: date
Extension: dba
Extension: dom
Extension: enchant
Extension: exif
Extension: ffi
Category: Optimizer
Category: CI
ABI break
labels
devnexen
removed request for
SakiTakamachi,
TimWolla,
adoy,
arnaud-lb,
derickr,
dstogov and
kocsismate
Member
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
… rewind().
Guard hasChildren()/getChildren() against reentrant rewind()/next() the same way valid() was guarded. Follow-up to GH-22466, GH-22478.