Initialize property to UNDEF on unserialize overwrite

The UNDEF marker here is important to prevent the creation of
a reference to the property currently being overwritten, which
would then leak.

This fixes oss-fuzz 6029559193534464, which was incorrectly
merged into oss-fuzz #30584 (which is reported at
https://github.com/google/oss-fuzz/issues/5211).

diff --git a/ext/standard/tests/serialize/unserialize_ref_to_overwritten_declared_prop.phpt b/ext/standard/tests/serialize/unserialize_ref_to_overwritten_declared_prop.phpt
new file mode 100644 (file)
index 0000000..f32b0c1
--- /dev/null
+++ b/ext/standard/tests/serialize/unserialize_ref_to_overwritten_declared_prop.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Trying to create a reference to an overwritten declared property
+--FILE--
+<?php
+$str = <<<STR
+O:5:"Error":2:{S:8:"previous";N;S:8:"previous";R:2;}
+STR;
+var_dump(unserialize($str));
+?>
+--EXPECTF--
+Notice: unserialize(): Error at offset 51 of 52 bytes in %s on line %d
+bool(false)

diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 56fe1fc784775d4d3812d3710dfa43e125f2aa97..fb1ab2f49667ccf5b2fc8010254a130cba8824ad 100644 (file)
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -612,7 +612,7 @@ declared_property:
                                        }
                                        var_push_dtor(var_hash, old_data);
                                        Z_TRY_DELREF_P(old_data);
-                                       ZVAL_NULL(old_data);
+                                       ZVAL_UNDEF(old_data);
                                        data = old_data;
                                } else {
                                        int ret = is_property_visibility_changed(obj->ce, &key);