From eeec0939e004c27de67cbe6c476f1e2c31dcf6c7 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Sat, 29 Jun 2024 08:42:03 +0100
Subject: [PATCH] Fix GH-14687 segfault on debugging a freed SplObjectIterator
 instance.

close GH-14711
---
 NEWS                       |  2 ++
 ext/spl/spl_directory.c    |  2 +-
 ext/spl/tests/gh14687.phpt | 49 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 ext/spl/tests/gh14687.phpt

diff --git a/NEWS b/NEWS
index 857248b413ee4..9ae904f160d7e 100644
--- a/NEWS
+++ b/NEWS
@@ -108,6 +108,8 @@ PHP                                                                        NEWS
   . Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed
     SplFileObject::__constructor). (Girgias)
   . Fixed bug GH-16589 (UAF in SplDoublyLinked->serialize()). (nielsdos)
+  . Fixed bug GH-14687 (segfault on SplObjectIterator instance).
+    (David Carlier)
 
 - Standard:
   . Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with
diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
index 83653f65e9f5f..33b35dc6bca9b 100644
--- a/ext/spl/spl_directory.c
+++ b/ext/spl/spl_directory.c
@@ -668,7 +668,7 @@ static inline HashTable *spl_filesystem_object_get_debug_info(zend_object *objec
 	if (intern->type == SPL_FS_DIR) {
 #ifdef HAVE_GLOB
 		pnstr = spl_gen_private_prop_name(spl_ce_DirectoryIterator, "glob", sizeof("glob")-1);
-		if (php_stream_is(intern->u.dir.dirp ,&php_glob_stream_ops)) {
+		if (intern->u.dir.dirp && php_stream_is(intern->u.dir.dirp ,&php_glob_stream_ops)) {
 			ZVAL_STR_COPY(&tmp, intern->path);
 		} else {
 			ZVAL_FALSE(&tmp);
diff --git a/ext/spl/tests/gh14687.phpt b/ext/spl/tests/gh14687.phpt
new file mode 100644
index 0000000000000..1e95d6b6517cc
--- /dev/null
+++ b/ext/spl/tests/gh14687.phpt
@@ -0,0 +1,49 @@
+--TEST--
+GH-14687 segfault on debugging SplObjectStorage instance after __destruct.
+--CREDITS--
+YuanchengJiang
+--EXTENSIONS--
+phar
+--INI--
+phar.require_hash=0
+phar.readonly=0
+--FILE--
+<?php
+$fname = __DIR__ . '/gh14687.phar.zip';
+$phar = new Phar($fname);
+class HasDestructor {
+  public function __destruct() {
+    var_dump($GLOBALS['s']);
+  }
+}
+$s = new SplObjectStorage();
+$s[$phar] = new HasDestructor();
+register_shutdown_function(function() {
+	global $s;
+});
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/gh14687.phar.zip');
+?>
+--EXPECT--
+object(SplObjectStorage)#2 (1) {
+  ["storage":"SplObjectStorage":private]=>
+  array(1) {
+    [0]=>
+    array(2) {
+      ["obj"]=>
+      object(Phar)#1 (3) {
+        ["pathName":"SplFileInfo":private]=>
+        string(0) ""
+        ["glob":"DirectoryIterator":private]=>
+        bool(false)
+        ["subPathName":"RecursiveDirectoryIterator":private]=>
+        string(0) ""
+      }
+      ["inf"]=>
+      object(HasDestructor)#3 (0) {
+      }
+    }
+  }
+}