Fix use-after-free due to packed->mixed conversion with __unserialize()

diff --git a/ext/standard/tests/serialize/__serialize_007.phpt b/ext/standard/tests/serialize/__serialize_007.phpt
new file mode 100644 (file)
index 0000000..32cad44
--- /dev/null
+++ b/ext/standard/tests/serialize/__serialize_007.phpt
@@ -0,0 +1,15 @@
+--TEST--
+No packed -> mixed reallocation while populating __unserialize() array
+--FILE--
+<?php
+
+$payload = 'O:13:"ArrayIterator":2:{i:0;i:0;s:1:"x";R:2;}';
+try {
+    var_dump(unserialize($payload));
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Incomplete or ill-typed serialization data

diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index fcc68dc4312811b7c86e5622cc763b8f3e82b80f..1c0eaf621665c2e10c9319d939c0b7a914c1d1e8 100644 (file)
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -651,6 +651,8 @@ static inline int object_common(UNSERIALIZE_PARAMETER, zend_long elements, zend_
                }
 
                array_init_size(&ary, elements);
+               /* Avoid reallocation due to packed -> mixed conversion. */
+               zend_hash_real_init_mixed(Z_ARRVAL(ary));
                if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_ARRVAL(ary), elements, NULL)) {
                        ZVAL_DEREF(rval);
                        GC_ADD_FLAGS(Z_OBJ_P(rval), IS_OBJ_DESTRUCTOR_CALLED);