From: Nikita Popov <nikic@php.net>
Date: Mon, 25 Jul 2016 21:02:54 +0000 (+0200)
Subject: Fix GMP unserialization with self-reference
X-Git-Tag: php-7.0.10RC1~43
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b1d36cb820480f09ae0daa10b3f822ad5eb0db11;p=php

Fix GMP unserialization with self-reference
---

diff --git a/ext/gmp/gmp.c b/ext/gmp/gmp.c
index a1e15899c9..b84ede63ff 100644
--- a/ext/gmp/gmp.c
+++ b/ext/gmp/gmp.c
@@ -588,10 +588,15 @@ static int gmp_unserialize(zval *object, zend_class_entry *ce, const unsigned ch
 	zval *zv;
 	int retval = FAILURE;
 	php_unserialize_data_t unserialize_data = (php_unserialize_data_t) data;
+	zval object_copy;
 
 	PHP_VAR_UNSERIALIZE_INIT(unserialize_data);
 	gmp_create(object, &gmpnum);
 
+	/* The "object" variable may be modified during the execution of this unserialize handler
+	 * (it may turn into a reference). Keep the original object around for futher operations. */
+	ZVAL_COPY_VALUE(&object_copy, object);
+
 	p = buf;
 	max = buf + buf_len;
 
@@ -614,7 +619,7 @@ static int gmp_unserialize(zval *object, zend_class_entry *ce, const unsigned ch
 
 	if (zend_hash_num_elements(Z_ARRVAL_P(zv)) != 0) {
 		zend_hash_copy(
-			zend_std_get_properties(object), Z_ARRVAL_P(zv),
+			zend_std_get_properties(&object_copy), Z_ARRVAL_P(zv),
 			(copy_ctor_func_t) zval_add_ref
 		);
 	}
diff --git a/ext/gmp/tests/unserialize_with_reference.phpt b/ext/gmp/tests/unserialize_with_reference.phpt
new file mode 100644
index 0000000000..b733430a38
--- /dev/null
+++ b/ext/gmp/tests/unserialize_with_reference.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Unserialize GMP instance with internal reference to itself
+--FILE--
+<?php
+$s = 'C:3:"GMP":23:{s:1:"2";a:1:{i:46;R:1;}}';
+var_dump(unserialize($s));
+?>
+--EXPECT--
+object(GMP)#1 (2) {
+  [46]=>
+  *RECURSION*
+  ["num"]=>
+  string(1) "2"
+}