SPL: heap-use-after-free in SplDoublyLinkedList iterator when modifying during iteration

[vi3tL0u1s]

Description

The following code:

<?php
for ($i = 0; $i <= 2; $x++) {
$W[0] = new SplStack;
$a[null] = null;
$a[null] = $m[0];
$a[null] = $I .= serialize($GLOBALS);
$W[0] =& $a; 
foreach($a as $l) {
    unset($W[0][0]);
    unset($W[0][0]);
}
}

Resulted in this output (with USE_ZEND_ALLOC=0):

==3328737==ERROR: AddressSanitizer: heap-use-after-free on address 0x5030000231ec at pc 0x5634b863c2af bp 0x7ffee0f81730 sp 0x7ffee0f81720
READ of size 4 at 0x5030000231ec thread T0
    #0 0x5634b863c2ae in spl_dllist_it_helper_move_forward /path/to/php-src/ext/spl/spl_dllist.c:844
    #1 0x5634b863c679 in spl_dllist_it_move_forward /path/to/php-src/ext/spl/spl_dllist.c:894
    #2 0x5634b8c9a021 in zend_fe_fetch_object_helper_SPEC /path/to/php-src/Zend/zend_vm_execute.h:3097
    #3 0x5634b8d23aa3 in ZEND_FE_FETCH_R_SPEC_VAR_HANDLER /path/to/php-src/Zend/zend_vm_execute.h:23604
    #4 0x5634b8dfee59 in execute_ex /path/to/php-src/Zend/zend_vm_execute.h:119253
    #5 0x5634b8e09204 in zend_execute /path/to/php-src/Zend/zend_vm_execute.h:121924
    #6 0x5634b8f77d98 in zend_execute_script /path/to/php-src/Zend/zend.c:1981

0x5030000231ec is located 28 bytes inside of 32-byte region [0x5030000231d0,0x5030000231f0)
freed by thread T0 here:
    #0 0x7f33f7d4d537 in __interceptor_free
    #1 0x5634b8b48fa5 in __zend_free /path/to/php-src/Zend/zend_alloc.c:3571
    #2 0x5634b8b44d84 in _efree /path/to/php-src/Zend/zend_alloc.c:2790
    #3 0x5634b863ba4e in zim_SplDoublyLinkedList_offsetUnset /path/to/php-src/ext/spl/spl_dllist.c:782

previously allocated by thread T0 here:
    #0 0x7f33f7d4d887 in __interceptor_malloc
    #1 0x5634b8b48e5d in __zend_malloc /path/to/php-src/Zend/zend_alloc.c:3543
    #2 0x5634b863678e in spl_ptr_llist_push /path/to/php-src/ext/spl/spl_dllist.c:182
    #3 0x5634b863ac33 in zim_SplDoublyLinkedList_offsetSet /path/to/php-src/ext/spl/spl_dllist.c:703

SUMMARY: AddressSanitizer: heap-use-after-free /path/to/php-src/ext/spl/spl_dllist.c:844 in spl_dllist_it_helper_move_forward

Commit

5472cac806a

Configurations

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic

PHP Version

PHP 8.6.0-dev (cli) (built: Jan  7 2026 13:33:43) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies

Operating System

Ubuntu 22.04

[iluuu1994]

Slightly simplified reproducer:

$m = new SplStack;
$m[null] = null;
$m[null] = null;

foreach ($m as $l) {
    unset($m[0]);
    unset($m[0]);
}

(though it gives a different error, not 100% sure they are related)