Fix #77298: segfault occurs when add property to unserialized empty ArrayObject

author CHU Zhaowei <jhdxr@php.net>

Wed, 19 Dec 2018 15:53:48 +0000 (16:53 +0100)

committer Christoph M. Becker <cmbecker69@gmx.de>

Fri, 21 Dec 2018 16:45:52 +0000 (17:45 +0100)
author CHU Zhaowei <jhdxr@php.net>
Wed, 19 Dec 2018 15:53:48 +0000 (16:53 +0100)
committer Christoph M. Becker <cmbecker69@gmx.de>
Fri, 21 Dec 2018 16:45:52 +0000 (17:45 +0100)
diff --git a/NEWS b/NEWS

index e9761f247234c5e4a4babf6cd62d333afe1a6cd8..bedf39e93abee466ff3d878580998c0b9f65b6b2 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
  |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
  ?? ??? ????, PHP 7.3.2
  
+- SPL:
+  . Fixed bug #77298 (segfault occurs when add property to unserialized empty
+    ArrayObject). (jhdxr)
+
  03 Jan 2019, PHP 7.3.1
  
  - Core:
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c

index 63345e6e331d8eb880f0579a478f6c71caac7dd2..9b11782147522bb4ae9b7defbf18dd90831f5a2a 100644 (file)
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1842,7 +1842,9 @@ SPL_METHOD(Array, unserialize)
  
                 if (Z_TYPE_P(array) == IS_ARRAY) {
                         zval_ptr_dtor(&intern->array);
-                       ZVAL_COPY(&intern->array, array);
+                       ZVAL_COPY_VALUE(&intern->array, array);
+                       ZVAL_NULL(array);
+                       SEPARATE_ARRAY(&intern->array);
                 } else {
                         spl_array_set_array(object, intern, array, 0L, 1);
                 }
diff --git a/ext/spl/tests/bug77298.phpt b/ext/spl/tests/bug77298.phpt

new file mode 100644 (file)

index 0000000..46eab67
--- /dev/null
+++ b/ext/spl/tests/bug77298.phpt
@@ -0,0 +1,28 @@
+--TEST--\r
+Bug #77298 (segfault occurs when add property to unserialized ArrayObject)\r
+--FILE--\r
+<?php\r
+$o = new ArrayObject();\r
+$o2 = unserialize(serialize($o));\r
+$o2[1]=123;\r
+var_dump($o2);\r
+\r
+$o3 = new ArrayObject();\r
+$o3->unserialize($o->serialize());\r
+$o3['xm']=456;\r
+var_dump($o3);\r
+--EXPECT--\r
+object(ArrayObject)#2 (1) {\r
+  ["storage":"ArrayObject":private]=>\r
+  array(1) {\r
+    [1]=>\r
+    int(123)\r
+  }\r
+}\r
+object(ArrayObject)#3 (1) {\r
+  ["storage":"ArrayObject":private]=>\r
+  array(1) {\r
+    ["xm"]=>\r
+    int(456)\r
+  }\r
+}
+\ No newline at end of file
author	CHU Zhaowei <jhdxr@php.net>
	Wed, 19 Dec 2018 15:53:48 +0000 (16:53 +0100)
committer	Christoph M. Becker <cmbecker69@gmx.de>
	Fri, 21 Dec 2018 16:45:52 +0000 (17:45 +0100)
NEWS		patch \| blob \| history
ext/spl/spl_array.c		patch \| blob \| history
ext/spl/tests/bug77298.phpt	[new file with mode: 0644]	patch \| blob