Use-after-free of self-freeing MultipleIterator children

[iluuu1994]

Description

Originally reported by @flex0geek.

The following code:

<?php

class FreeSelfOnRewind implements Iterator {
    public function __construct(private MultipleIterator $parent) {}

    public function rewind(): void {
        $this->parent->detachIterator($this);
        var_dump($this);
    }

    public function current(): mixed { return 0; }
    public function key(): mixed { return 0; }
    public function next(): void {}
    public function valid(): bool { return false; }
}

$mi = new MultipleIterator();
$mi->attachIterator(new FreeSelfOnRewind($mi));
$mi->rewind();

Resulted in this output:

Use-after-free

The same goes for various other MultipleIterator methods that call methods on the child iterator without addref.

PHP Version

8.4+

Operating System

No response

[devnexen]

@iluuu1994 do you prefer to work on it or is it fine if I take it ?

[iluuu1994]

@devnexen Feel free to take over.