Fix #80663: Recursive SplFixedArray::setSize() may cause double-free

We address the `::setSize(0)` case by setting `array->element = NULL`
and `array->size = 0` before we destroy the elements.

Co-authored-by: Tyson Andre <[email protected]>

Closes GH-7503.

Author: cmb69

NEWS

@@ -20,11 +20,15 @@ PHP                                                                        NEWS
 - PCRE:
   . Fixed bug #81424 (PCRE2 10.35 JIT performance regression). (cmb)
 
+- SPL:
+  . Fixed bug #80663 (Recursive SplFixedArray::setSize() may cause double-free).
+    (cmb, Nikita, Tyson Andre)
+
 - XML:
   . Fixed bug #70962 (XML_OPTION_SKIP_WHITE strips embedded whitespace).
     (Aliaksandr Bystry, cmb)
 
-23 Dep 2021, PHP 7.4.24
+23 Sep 2021, PHP 7.4.24
 
 - Core:
   . Fixed bug #81302 (Stream position after stream filter removed). (cmb)

ext/spl/spl_fixedarray.c

@@ -106,15 +106,20 @@ static void spl_fixedarray_resize(spl_fixedarray *array, zend_long size) /* {{{
 
 	/* clearing the array */
 	if (size == 0) {
-		zend_long i;
-
-		for (i = 0; i < array->size; i++) {
-			zval_ptr_dtor(&(array->elements[i]));
-		}
+		if (array->elements != NULL) {
+			zend_long i;
+			zval *elements = array->elements;
+			zend_long old_size = array->size;
 
-		if (array->elements) {
-			efree(array->elements);
 			array->elements = NULL;
+			array->size = 0;
+
+			for (i = 0; i < old_size; i++) {
+				zval_ptr_dtor(&(elements[i]));
+			}
+
+			efree(elements);
+			return;
 		}
 	} else if (size > array->size) {
 		array->elements = safe_erealloc(array->elements, size, sizeof(zval), 0);

ext/spl/tests/bug80663.phpt

@@ -0,0 +1,15 @@
+--TEST--
+Bug #80663 (Recursive SplFixedArray::setSize() may cause double-free)
+--FILE--
+<?php
+class InvalidDestructor {
+    public function __destruct() {
+        $GLOBALS['obj']->setSize(0);
+    }
+}
+
+$obj = new SplFixedArray(1000);
+$obj[0] = new InvalidDestructor();
+$obj->setSize(0);
+?>
+--EXPECT--