Always remove HT iterators, even for uninit HT

Fixes oss-fuzz #31423.
author: Nikita Popov <nikita.ppv@gmail.com> 2021-03-01 16:20:31 +0100
committer: Nikita Popov <nikita.ppv@gmail.com> 2021-03-01 16:22:11 +0100
commit: 2c508c4d407e98a27ed2631ae88e2e10ee430003 (patch)
tree: 35cd4ff437a1d3d581f8dc7674b15bbb3117e6fb /Zend
parent: e8579365181d8e61c00968715ed8be5ec151002d (diff)
download: php-git-2c508c4d407e98a27ed2631ae88e2e10ee430003.tar.gz
2 files changed, 16 insertions, 1 deletions
diff --git a/Zend/tests/array_splice_empty_ht_iter_removal.phpt b/Zend/tests/array_splice_empty_ht_iter_removal.phpt
new file mode 100644
index 0000000000..1461827bc9
--- /dev/null
+++ b/Zend/tests/array_splice_empty_ht_iter_removal.phpt
@@ -0,0 +1,15 @@
+--TEST--
+HT iterator should be destroyed if array becomes empty during array_splice
+--FILE--
+<?php
+$a=[4];
+$i = 0;
+foreach ($a as &$r) {
+    var_dump($r);
+    $a = array_splice($a, 0);
+    if (++$i == 2) break;
+}
+?>
+--EXPECT--
+int(4)
+int(4)
diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c
index d35d8afd53..da150bd798 100644
--- a/Zend/zend_hash.c
+++ b/Zend/zend_hash.c
@@ -1630,10 +1630,10 @@ ZEND_API void ZEND_FASTCALL zend_array_destroy(HashTable *ht)
 	} else if (EXPECTED(HT_FLAGS(ht) & HASH_FLAG_UNINITIALIZED)) {
 		goto free_ht;
 	}
-	zend_hash_iterators_remove(ht);
 	SET_INCONSISTENT(HT_DESTROYED);
 	efree(HT_GET_DATA_ADDR(ht));
 free_ht:
+	zend_hash_iterators_remove(ht);
 	FREE_HASHTABLE(ht);
 }
author	Nikita Popov <nikita.ppv@gmail.com>	2021-03-01 16:20:31 +0100
committer	Nikita Popov <nikita.ppv@gmail.com>	2021-03-01 16:22:11 +0100
commit	2c508c4d407e98a27ed2631ae88e2e10ee430003 (patch)
tree	35cd4ff437a1d3d581f8dc7674b15bbb3117e6fb /Zend
parent	e8579365181d8e61c00968715ed8be5ec151002d (diff)
download	php-git-2c508c4d407e98a27ed2631ae88e2e10ee430003.tar.gz