Fix a NULL pointer dereference bug lead by php_pcre_replace_impl()

php_pcre_replace_impl() will return NULL on failure.
However, in the implementation of RegexIterator::accept() the return value of
php_pcre_replace_impl() is directly used without any check,
which leads to a NULL pointer dereference.

Fix this by adding a NULL check, and returning false in that case.

Closes GH-8271

Signed-off-by: George Peter Banyard <[email protected]>

Author: zhou1615

ext/spl/spl_iterators.c

@@ -1866,6 +1866,11 @@ PHP_METHOD(RegexIterator, accept)
 			}
 
 			result = php_pcre_replace_impl(intern->u.regex.pce, subject, ZSTR_VAL(subject), ZSTR_LEN(subject), replacement_str, -1, &count);
+			zend_string_release(replacement_str);
+
+			if (!result) {
+				RETURN_FALSE;
+			}
 
 			if (intern->u.regex.flags & REGIT_USE_KEY) {
 				zval_ptr_dtor(&intern->current.key);
@@ -1875,7 +1880,6 @@ PHP_METHOD(RegexIterator, accept)
 				ZVAL_STR(&intern->current.data, result);
 			}
 
-			zend_string_release(replacement_str);
 			RETVAL_BOOL(count > 0);
 		}
 	}

ext/spl/tests/gh8271.phpt

@@ -0,0 +1,37 @@
+--TEST--
+GH-8271: NULL pointer dereference in RegexIterator::accept()
+--EXTENSIONS--
+spl
+--FILE--
+<?php
+function words() {
+    yield "f\xC3oo";
+    yield "bar";
+    yield "baz";
+}
+
+$it = new RegexIterator(words(), '/a/u', RegexIterator::REPLACE);
+var_dump(iterator_to_array($it));
+
+function wordsForEach() {
+    foreach (["f\xC3oo", "bar", "baz"] as $word) {
+        yield $word;
+    }
+}
+$it = new RegexIterator(wordsForEach(), '/a/u', RegexIterator::REPLACE);
+var_dump(iterator_to_array($it));
+
+?>
+--EXPECT--
+array(2) {
+  [1]=>
+  string(2) "br"
+  [2]=>
+  string(2) "bz"
+}
+array(2) {
+  [1]=>
+  string(2) "br"
+  [2]=>
+  string(2) "bz"
+}