Fix GH-20678: resource created by GlobIterator crashes with fclose().

close GH-20697

Author: devnexen

NEWS

@@ -16,6 +16,10 @@ PHP                                                                        NEWS
 - LDAP:
   . Fix memory leak in ldap_set_options(). (ndossche)
 
+- SPL:
+  . Fixed bug GH-20678 (resource created by GlobIterator crashes with fclose()).
+    (David Carlier)
+
 - Standard:
   . Fix error check for proc_open() command. (ndossche)
 

ext/spl/spl_directory.c

@@ -306,6 +306,11 @@ static void spl_filesystem_dir_open(spl_filesystem_object* intern, zend_string *
 	intern->type = SPL_FS_DIR;
 	intern->u.dir.dirp = php_stream_opendir(ZSTR_VAL(path), REPORT_ERRORS, FG(default_context));
 
+	if (intern->u.dir.dirp) {
+		/* we prevent potential UAF with conflicting explicit fclose(), relying on the object destructor for this */
+		intern->u.dir.dirp->flags |= PHP_STREAM_FLAG_NO_FCLOSE;
+	}
+
 	if (ZSTR_LEN(path) > 1 && IS_SLASH_AT(ZSTR_VAL(path), ZSTR_LEN(path)-1)) {
 		intern->path = zend_string_init(ZSTR_VAL(path), ZSTR_LEN(path)-1, 0);
 	} else {

ext/spl/tests/gh20678.phpt

@@ -0,0 +1,14 @@
+--TEST--
+GH-20678 (resource created by GlobalIterator crashes when it is called with fclose())
+--CREDITS--
+chongwick
+--FILE--
+<?php
+$iter = new GlobIterator(__DIR__ . '/*.abcdefghij');
+$resources = get_resources();
+$resource = end($resources);
+fclose($resource);
+?>
+--EXPECTF--
+
+Warning: fclose(): %d is not a valid stream resource in %s on line %d