From: Nikita Popov Date: Thu, 15 Aug 2019 08:38:43 +0000 (+0200) Subject: Fixed bug #78409 X-Git-Tag: php-7.4.0beta4~11 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=34885408db9e16c48e8c25195c39e0ef758faaaa;p=php Fixed bug #78409 This removes an incorrect optimization (I think this code used to be necessary to properly handle references in the Serializable based implementation, but now this code just avoids an array duplication in a way that is not sound). --- diff --git a/NEWS b/NEWS index 64f8a51e2a..5a04cda676 100644 --- a/NEWS +++ b/NEWS @@ -21,6 +21,10 @@ PHP NEWS . Fixed bug #78410 (Cannot "manually" unserialize class that is final and extends an internal one). (Nikita) +- SPL: + . Fixed bug #78409 (Segfault when creating instance of ArrayIterator without + constructor). (Nikita) + 08 Aug 2019, PHP 7.4.0beta2 - Core: diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 32f1fd8bbd..90861b49c6 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -1875,11 +1875,6 @@ SPL_METHOD(Array, __unserialize) if (flags & SPL_ARRAY_IS_SELF) { zval_ptr_dtor(&intern->array); ZVAL_UNDEF(&intern->array); - } else if (Z_TYPE_P(storage_zv) == IS_ARRAY) { - zval_ptr_dtor(&intern->array); - ZVAL_COPY_VALUE(&intern->array, storage_zv); - ZVAL_NULL(storage_zv); - SEPARATE_ARRAY(&intern->array); } else { spl_array_set_array(ZEND_THIS, intern, storage_zv, 0L, 1); } diff --git a/ext/spl/tests/bug78409.phpt b/ext/spl/tests/bug78409.phpt new file mode 100644 index 0000000000..f59015fea7 --- /dev/null +++ b/ext/spl/tests/bug78409.phpt @@ -0,0 +1,26 @@ +--TEST-- +Bug #78409: Segfault when creating instance of ArrayIterator without constructor +--FILE-- +__unserialize($u); +var_dump($u); + +?> +--EXPECT-- +array(3) { + [0]=> + int(0) + [1]=> + array(0) { + } + [2]=> + array(0) { + } +}