<?php
class S extends SplObjectStorage {
public $other;
public function getHash($obj): string {
if ($this->other) {
$this->other->offsetUnset($obj); // free element
$this->other = null;
}
return "x"; // not in this storage -> enter if-block
}
}
$storage = new SplObjectStorage();
$obj = new stdClass();
$storage->offsetSet($obj);
$filter = new S();
$filter->other = $storage;
$storage->removeAllExcept($filter); // UAF here
Description
Originally reported by @kdsjZh.
The following code:
PHP Version
Operating System
No response