Merge branch 'PHP-8.5'

* PHP-8.5:
  Fix phpGH-20856: heap-use-after-free in SplDoublyLinkedList iterator when modifying during iteration

Author: ndossche

ext/spl/spl_dllist.c

@@ -728,11 +728,10 @@ PHP_METHOD(SplDoublyLinkedList, offsetUnset)
 	element = spl_ptr_llist_offset(intern->llist, index, intern->flags & SPL_DLLIST_IT_LIFO);
 
 	if (element != NULL) {
-		/* connect the neighbors */
+		/* disconnect the neighbours */
 		if (element->prev) {
 			element->prev->next = element->next;
 		}
-
 		if (element->next) {
 			element->next->prev = element->prev;
 		}
@@ -746,6 +745,10 @@ PHP_METHOD(SplDoublyLinkedList, offsetUnset)
 			llist->tail = element->prev;
 		}
 
+		/* Keep consistency if element is kept alive. */
+		element->prev = NULL;
+		element->next = NULL;
+
 		/* finally, delete the element */
 		llist->count--;
 

ext/spl/tests/gh20856.phpt

@@ -0,0 +1,26 @@
+--TEST--
+GH-20856 (heap-use-after-free in SplDoublyLinkedList iterator when modifying during iteration)
+--CREDITS--
+vi3tL0u1s
+iluuu1994
+--FILE--
+<?php
+$m = new SplStack;
+$m[] = new stdClass;
+$m[] = new stdClass;
+
+foreach ($m as $l) {
+    unset($m[0]);
+    unset($m[0]);
+}
+
+var_dump($m);
+?>
+--EXPECTF--
+object(SplStack)#%d (%d) {
+  ["flags":"SplDoublyLinkedList":private]=>
+  int(6)
+  ["dllist":"SplDoublyLinkedList":private]=>
+  array(0) {
+  }
+}