From 2c508c4d407e98a27ed2631ae88e2e10ee430003 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 1 Mar 2021 16:20:31 +0100
Subject: Always remove HT iterators, even for uninit HT

Fixes oss-fuzz #31423.
---
 Zend/tests/array_splice_empty_ht_iter_removal.phpt | 15 +++++++++++++++
 Zend/zend_hash.c                                   |  2 +-
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/array_splice_empty_ht_iter_removal.phpt

(limited to 'Zend')

diff --git a/Zend/tests/array_splice_empty_ht_iter_removal.phpt b/Zend/tests/array_splice_empty_ht_iter_removal.phpt
new file mode 100644
index 0000000000..1461827bc9
--- /dev/null
+++ b/Zend/tests/array_splice_empty_ht_iter_removal.phpt
@@ -0,0 +1,15 @@
+--TEST--
+HT iterator should be destroyed if array becomes empty during array_splice
+--FILE--
+<?php
+$a=[4];
+$i = 0;
+foreach ($a as &$r) {
+    var_dump($r);
+    $a = array_splice($a, 0);
+    if (++$i == 2) break;
+}
+?>
+--EXPECT--
+int(4)
+int(4)
diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c
index d35d8afd53..da150bd798 100644
--- a/Zend/zend_hash.c
+++ b/Zend/zend_hash.c
@@ -1630,10 +1630,10 @@ ZEND_API void ZEND_FASTCALL zend_array_destroy(HashTable *ht)
 	} else if (EXPECTED(HT_FLAGS(ht) & HASH_FLAG_UNINITIALIZED)) {
 		goto free_ht;
 	}
-	zend_hash_iterators_remove(ht);
 	SET_INCONSISTENT(HT_DESTROYED);
 	efree(HT_GET_DATA_ADDR(ht));
 free_ht:
+	zend_hash_iterators_remove(ht);
 	FREE_HASHTABLE(ht);
 }
 
-- 
cgit v1.2.1