Merge branch 'PHP-5.5' into PHP-5.6

* PHP-5.5:
  Check for zero-length keys in spl_array_skip_protected and don't skip them.
  added CVEs in NEWS

2 files changed, 42 insertions, 1 deletions

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 6ee67bfe94..f450e0b715 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -931,7 +931,14 @@ static int spl_array_skip_protected(spl_array_object *intern, HashTable *aht TSR
 	if (Z_TYPE_P(intern->array) == IS_OBJECT) {
 		do {
 			if (zend_hash_get_current_key_ex(aht, &string_key, &string_length, &num_key, 0, &intern->pos) == HASH_KEY_IS_STRING) {
-				if (!string_length || string_key[0]) {
+				/* zend_hash_get_current_key_ex() should never set
+				 * string_length to 0 when returning HASH_KEY_IS_STRING, but we
+				 * may as well be defensive and consider that successful.
+				 * Beyond that, we're looking for protected keys (which will
+				 * have a null byte at string_key[0]), but want to avoid
+				 * skipping completely empty keys (which will also have the
+				 * null byte, but a string_length of 1). */
+				if (!string_length || string_key[0] || string_length == 1) {
 					return SUCCESS;
 				}
 			} else {
diff --git a/ext/spl/tests/bug67360.phpt b/ext/spl/tests/bug67360.phpt
new file mode 100644
index 0000000000..552c02ad74
--- /dev/null
+++ b/ext/spl/tests/bug67360.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #67360 (Missing element after ArrayObject::getIterator)
+--FILE--
+<?php
+
+$array = array('' => 1, 1 => 2, 3 => 4);
+$ArrayObject = new ArrayObject($array);
+var_dump($ArrayObject);
+$Iterator = $ArrayObject->getIterator();
+var_dump(count($Iterator) === count($array));
+var_dump(iterator_to_array($Iterator));
+
+?>
+--EXPECTF--
+object(ArrayObject)#%d (1) {
+  ["storage":"ArrayObject":private]=>
+  array(3) {
+    [""]=>
+    int(1)
+    [1]=>
+    int(2)
+    [3]=>
+    int(4)
+  }
+}
+bool(true)
+array(3) {
+  [""]=>
+  int(1)
+  [1]=>
+  int(2)
+  [3]=>
+  int(4)
+}