|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81992 SplFixedArray::setSize() causes use-after-free
Submitted: 2023-05-10 11:39 UTC Modified: 2023-05-25 22:36 UTC
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: cyberguru007 at yandex dot ru Assigned:
Status: Closed Package: SPL related
PHP Version: 8.2.6RC1 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: cyberguru007 at yandex dot ru
New email:
PHP Version: OS:


 [2023-05-10 11:39 UTC] cyberguru007 at yandex dot ru
The root cause of this bug is similar to bug #80663.
There is a problem when __destruct called in the middle of SplFixedArray resizing. There is no check that size of internal storage was changed.
In function static void spl_fixedarray_resize(spl_fixedarray *array, zend_long size) the case when size = 0 was fixed in #80663, but similar case when size < array->size was not fixed. It causes use-after-free.
The bug can be triggered locally, or remotely, for example using unserialize(), and cause code execution.

The bug exists in PHP versions from End of life 7.4.* to latest 8.2.*

Test script:
class InvalidDestructor {
    public function __destruct() {
        global $obj;
        $a = str_repeat('A', 100);

$obj = new SplFixedArray(5);
$obj[2] = str_repeat('B', 100);
$obj[3] = new InvalidDestructor();

Expected result:

Actual result:


patch_for_php_8.2.5 (last revision 2023-05-10 11:39 UTC by cyberguru007 at yandex dot ru)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2023-05-25 22:36 UTC]
-Type: Security +Type: Bug
 [2023-08-14 19:39 UTC]
Automatic comment on behalf of nielsdos
Log: Fix #81992: SplFixedArray::setSize() causes use-after-free
 [2023-08-14 19:39 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Jul 20 01:01:29 2024 UTC