Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex())

NEWS

@@ -14,6 +14,10 @@ PHP                                                                        NEWS
   . Fixed bug #69882 (OpenSSL error “key values mismatch” after 
     openssl_pkcs12_read with extra cert) (Tomasz Sawicki)
 
+- SPL:
+  . Fixed bug #69970 (Use-after-free vulnerability in
+    spl_recursive_it_move_forward_ex()). (Laruence)
+
 09 Jul 2015, PHP 5.6.11
 
 - Core:

ext/spl/spl_iterators.c

@@ -380,9 +380,11 @@ next_step:
 					}
 				}
 			}
+			if (object->level > 0) {
 				iterator->funcs->dtor(iterator TSRMLS_CC);
 				zval_ptr_dtor(&object->iterators[object->level].zobject);
 				object->level--;
+			}
 		} else {
 			return; /* done completeley */
 		}

ext/spl/tests/bug69970.phpt

@@ -0,0 +1,45 @@
+--TEST--
+Bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex())
+--FILE--
+<?php
+
+$count = 10;
+
+class RecursiveArrayIteratorIterator extends RecursiveIteratorIterator {
+  function rewind() {
+    echo "dummy\n";
+  }
+  function endChildren() {
+	  global $count;
+	  echo $this->getDepth();
+	  if (--$count > 0) {
+		  // Trigger use-after-free
+		  parent::rewind();
+	  }
+  }
+}
+$arr = array("a", array("ba", array("bba", "bbb")));
+$obj = new RecursiveArrayIterator($arr);
+$rit = new RecursiveArrayIteratorIterator($obj);
+
+foreach ($rit as $k => $v) {
+  echo ($rit->getDepth()) . "$k=>$v\n";
+}
+?>
+--EXPECT--
+dummy
+00=>a
+00=>a
+10=>ba
+20=>bba
+21=>bbb
+21010=>ba
+20=>bba
+21=>bbb
+21010=>ba
+20=>bba
+21=>bbb
+21010=>ba
+20=>bba
+21=>bbb
+21