NULL deref in spl_directory.c

[YuanchengJiang]

Description

The following code:

<?php
$fname = __DIR__ . '/gh14687.phar.zip';
$phar = new Phar($fname);
class HasDestructor {
public function __destruct() {
var_dump($GLOBALS['s']);
}
}
$s = new SplObjectStorage();
$s[$phar] = new HasDestructor();
register_shutdown_function(function() {
global $s;
});
$fusion = $phar;
if ($fusion->isLink()) {
}

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/ext/spl/spl_directory.c:209:36: runtime error: member access within null pointer of type 'php_stream' (aka 'struct _php_stream')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/spl/spl_directory.c:209:36

To reproduce:

-d "phar.readonly=0"

PHP Version

nightly

Operating System

No response

[nielsdos]

I have a strong déjà vu with this one. Might try to analyze this tomorrow if someone else doesn't beat me to it.

[nielsdos]

This is extremely similar to GH-14687, fix may've been incomplete.