From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 18 Feb 2021 10:10:20 +0000 (+0100)
Subject: Initialize property to UNDEF on unserialize overwrite
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e03284739f4a3a1052dfe5497fbf06c1b206f895;p=php

Initialize property to UNDEF on unserialize overwrite

The UNDEF marker here is important to prevent the creation of
a reference to the property currently being overwritten, which
would then leak.

This fixes oss-fuzz 6029559193534464, which was incorrectly
merged into oss-fuzz #30584 (which is reported at
https://github.com/google/oss-fuzz/issues/5211).
---

diff --git a/ext/standard/tests/serialize/unserialize_ref_to_overwritten_declared_prop.phpt b/ext/standard/tests/serialize/unserialize_ref_to_overwritten_declared_prop.phpt
new file mode 100644
index 0000000000..f32b0c12e2
--- /dev/null
+++ b/ext/standard/tests/serialize/unserialize_ref_to_overwritten_declared_prop.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Trying to create a reference to an overwritten declared property
+--FILE--
+<?php
+$str = <<<STR
+O:5:"Error":2:{S:8:"previous";N;S:8:"previous";R:2;}
+STR;
+var_dump(unserialize($str));
+?>
+--EXPECTF--
+Notice: unserialize(): Error at offset 51 of 52 bytes in %s on line %d
+bool(false)
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 56fe1fc784..fb1ab2f496 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -612,7 +612,7 @@ declared_property:
 					}
 					var_push_dtor(var_hash, old_data);
 					Z_TRY_DELREF_P(old_data);
-					ZVAL_NULL(old_data);
+					ZVAL_UNDEF(old_data);
 					data = old_data;
 				} else {
 					int ret = is_property_visibility_changed(obj->ce, &key);