From 2c97f73b5117e6693ffdf8fd7b2246033e565875 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Thu, 30 Apr 2026 19:17:42 +0100 Subject: [PATCH] ext/spl: Fix SplFixedArray::setSize leak when destructor grows during clear. --- ext/spl/spl_fixedarray.c | 12 ++++---- ...ay_setSize_destruct_grow_during_clear.phpt | 28 +++++++++++++++++++ 2 files changed, 34 insertions(+), 6 deletions(-) create mode 100644 ext/spl/tests/SplFixedArray_setSize_destruct_grow_during_clear.phpt diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c index 84adbe2233b1..8f8108e2f90b 100644 --- a/ext/spl/spl_fixedarray.c +++ b/ext/spl/spl_fixedarray.c @@ -172,18 +172,18 @@ static void spl_fixedarray_resize(spl_fixedarray *array, zend_long size) return; } - /* first initialization */ - if (array->size == 0) { - spl_fixedarray_init(array, size); - return; - } - if (UNEXPECTED(array->cached_resize >= 0)) { /* We're already resizing, so just remember the desired size. * The resize will happen later. */ array->cached_resize = size; return; } + /* first initialization */ + if (array->size == 0) { + spl_fixedarray_init(array, size); + return; + } + array->cached_resize = size; /* clearing the array */ diff --git a/ext/spl/tests/SplFixedArray_setSize_destruct_grow_during_clear.phpt b/ext/spl/tests/SplFixedArray_setSize_destruct_grow_during_clear.phpt new file mode 100644 index 000000000000..f0982364afa8 --- /dev/null +++ b/ext/spl/tests/SplFixedArray_setSize_destruct_grow_during_clear.phpt @@ -0,0 +1,28 @@ +--TEST-- +SplFixedArray::setSize: grow re-entrantly during clear (setSize(0)) +--FILE-- +arr !== null) { + $this->arr->setSize(5); + } + } +} + +$arr = new SplFixedArray(2); +$r = new Reentrant(); +$r->arr = $arr; +$arr[0] = $r; +unset($r); +$arr[1] = "tail"; + +$arr->setSize(0); +echo "size: ", $arr->getSize(), "\n"; +$arr[0] = "ok"; +var_dump($arr[0]); +?> +--EXPECT-- +size: 5 +string(2) "ok"