Skip to content

[pull] master from php:master#1003

Merged
pull[bot] merged 3 commits into
turkdevops:masterfrom
php:master
Jun 15, 2026
Merged

[pull] master from php:master#1003
pull[bot] merged 3 commits into
turkdevops:masterfrom
php:master

Conversation

@pull

@pull pull Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

iliaal added 3 commits June 15, 2026 07:33
@iliaal
Fix use-after-free when ArrayObject sort comparator replaces backing …
2210fda 
…store

spl_array_method() caches the backing HashTable pointer across a
user-supplied comparator (uasort/uksort and the sort handlers). The
comparator can re-enter __construct() or __unserialize(), which route
through spl_array_set_array() and swap intern->array out from under the
cached pointer, leaving the post-sort cleanup to release and dereference
freed memory. Mirror the nApplyCount guard the other mutators already
use so replacing the backing store during a sort throws instead.

Closes GH-22310
@iliaal
Merge branch 'PHP-8.4' into PHP-8.5
2dfc044 
* PHP-8.4:
  Fix use-after-free when ArrayObject sort comparator replaces backing store
@iliaal
Merge branch 'PHP-8.5'
917f3ea 
* PHP-8.5:
  Fix use-after-free when ArrayObject sort comparator replaces backing store
@pull pull Bot locked and limited conversation to collaborators Jun 15, 2026
@pull pull Bot added the ⤵️ pull label Jun 15, 2026
@pull pull Bot merged commit 917f3ea into turkdevops:master Jun 15, 2026
1 of 3 checks passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iliaal