Fixed bug #78409

This removes an incorrect optimization (I think this code used to be necessary to properly handle references in the Serializable based implementation, but now this code just avoids an array duplication in a way that is not sound).
2024-11-24 10:24:11 +08:00 · 2019-08-15 10:38:43 +02:00 · 2019-08-15 10:38:43 +02:00 · 34885408db
commit 34885408db
parent 65ea6bbdc6
3 changed files with 30 additions and 5 deletions
--- a/4
+++ b/4
@ -21,6 +21,10 @@ PHP                                                                        NEWS
  . Fixed bug #78410 (Cannot "manually" unserialize class that is final and
    extends an internal one). (Nikita)

+- SPL:
+  . Fixed bug #78409 (Segfault when creating instance of ArrayIterator without
+    constructor). (Nikita)
+
 08 Aug 2019, PHP 7.4.0beta2

 - Core:
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@ -1875,11 +1875,6 @@ SPL_METHOD(Array, __unserialize)
 	if (flags & SPL_ARRAY_IS_SELF) {
 		zval_ptr_dtor(&intern->array);
 		ZVAL_UNDEF(&intern->array);
-	} else if (Z_TYPE_P(storage_zv) == IS_ARRAY) {
-		zval_ptr_dtor(&intern->array);
-		ZVAL_COPY_VALUE(&intern->array, storage_zv);
-		ZVAL_NULL(storage_zv);
-		SEPARATE_ARRAY(&intern->array);
 	} else {
 		spl_array_set_array(ZEND_THIS, intern, storage_zv, 0L, 1);
 	}
--- a/ext/spl/tests/bug78409.phpt
+++ b/ext/spl/tests/bug78409.phpt
@ -0,0 +1,26 @@
+--TEST--
+Bug #78409: Segfault when creating instance of ArrayIterator without constructor
+--FILE--
+<?php
+
+$a = new ArrayObject;
+$u = [
+    0,
+    [],
+    [],
+];
+$a->__unserialize($u);
+var_dump($u);
+
+?>
+--EXPECT--
+array(3) {
+  [0]=>
+  int(0)
+  [1]=>
+  array(0) {
+  }
+  [2]=>
+  array(0) {
+  }
+}