Handle ref return from Iterator::key()

nikic · nikic · commit 46f9fed0d8e4 · 2021-04-15T13:05:48.000+02:00
Handle this in the implementation of get_current_key of user_it,
so that the callers may assume that the key is not a reference.

Fixes oss-fuzz #33018.
diff --git a/Zend/tests/iterator_key_by_ref.phpt b/Zend/tests/iterator_key_by_ref.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Iterator::key() with by-ref return
+--FILE--
+<?php
+class Test extends ArrayIterator {
+    function &key() {
+        return $foo;
+    }
+}
+foreach (new Test([0]) as $k => $v) {
+    var_dump($k);
+}
+?>
+--EXPECT--
+NULL
diff --git a/Zend/zend_interfaces.c b/Zend/zend_interfaces.c
@@ -154,6 +154,9 @@ ZEND_API void zend_user_it_get_current_key(zend_object_iterator *_iter, zval *ke
 	zend_user_iterator *iter = (zend_user_iterator*)_iter;
 	zval *object = &iter->it.data;
 	zend_call_method_with_0_params(Z_OBJ_P(object), iter->ce, &iter->ce->iterator_funcs_ptr->zf_key, "key", key);
+	if (UNEXPECTED(Z_ISREF_P(key))) {
+		zend_unwrap_reference(key);
+	}
 }
 /* }}} */
 

Original file line number	Diff line number	Diff line change
`@@ -154,6 +154,9 @@ ZEND_API void zend_user_it_get_current_key(zend_object_iterator _iter, zval ke`
`154`	`154`	`zend_user_iterator iter = (zend_user_iterator)_iter;`
`155`	`155`	`zval *object = &iter->it.data;`
`156`	`156`	`zend_call_method_with_0_params(Z_OBJ_P(object), iter->ce, &iter->ce->iterator_funcs_ptr->zf_key, "key", key);`
	`157`	`+ if (UNEXPECTED(Z_ISREF_P(key))) {`
	`158`	`+ zend_unwrap_reference(key);`
	`159`	`+ }`
`157`	`160`	`}`
`158`	`161`	`/* }}} */`
`159`	`162`