Call destructor after overriding old SplObjectStorage entry

TysonAndre · TysonAndre · commit 784e1a57c691 · 2021-11-26T21:01:29.000-05:00
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
@@ -157,15 +157,17 @@ static spl_SplObjectStorageElement *spl_object_storage_attach_handle(spl_SplObje
 	ZEND_ASSERT(intern->fptrs == NULL || !intern->fptrs->override_write_dimension);
 
 	if (Z_TYPE_P(entry_zv) != IS_NULL) {
+		zval zv_inf;
 		ZEND_ASSERT(Z_TYPE_P(entry_zv) == IS_PTR);
 		pelement = Z_PTR_P(entry_zv);
-		/* FIXME unsafe if destructor of inf moves/removes this entry */
-		zval_ptr_dtor(&pelement->inf);
+		ZVAL_COPY_VALUE(&zv_inf, &pelement->inf);
 		if (inf) {
 			ZVAL_COPY(&pelement->inf, inf);
 		} else {
 			ZVAL_NULL(&pelement->inf);
 		}
+		/* Call the old value's destructor last, in case it moves the entry */
+		zval_ptr_dtor(&zv_inf);
 		return pelement;
 	}
 
@@ -190,14 +192,16 @@ spl_SplObjectStorageElement *spl_object_storage_attach(spl_SplObjectStorage *int
 	pelement = spl_object_storage_get(intern, &key);
 
 	if (pelement) {
-		/* FIXME unsafe if destructor of inf moves/removes this entry */
-		zval_ptr_dtor(&pelement->inf);
+		zval zv_inf;
+		ZVAL_COPY_VALUE(&zv_inf, &pelement->inf);
 		if (inf) {
 			ZVAL_COPY(&pelement->inf, inf);
 		} else {
 			ZVAL_NULL(&pelement->inf);
 		}
 		spl_object_storage_free_hash(intern, &key);
+		/* Call the old value's destructor last, in case it moves the entry */
+		zval_ptr_dtor(&pelement->inf);
 		return pelement;
 	}
 
