From 1b29e4488e19c89e5b37ecb26acaec443d7f1355 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 25 Sep 2016 16:43:24 -0700
Subject: [PATCH] Fix bug #73091 - Unserializing DateInterval object may lead
 to __toString invocation

---
 ext/date/php_date.c          |  4 ++--
 ext/date/tests/bug73091.phpt | 46 ++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 2 deletions(-)
 create mode 100644 ext/date/tests/bug73091.phpt

diff --git a/ext/date/php_date.c b/ext/date/php_date.c
index dbcd9d0404..d4c695c6b7 100644
--- a/ext/date/php_date.c
+++ b/ext/date/php_date.c
@@ -4113,7 +4113,7 @@ static int php_date_interval_initialize_from_hash(zval **return_value, php_inter
 #define PHP_DATE_INTERVAL_READ_PROPERTY(element, member, itype, def) \
 	do { \
 		zval *z_arg = zend_hash_str_find(myht, element, sizeof(element) - 1); \
-		if (z_arg) { \
+		if (z_arg && Z_TYPE_P(z_arg) <= IS_STRING) { \
 			(*intobj)->diff->member = (itype)zval_get_long(z_arg); \
 		} else { \
 			(*intobj)->diff->member = (itype)def; \
@@ -4123,7 +4123,7 @@ static int php_date_interval_initialize_from_hash(zval **return_value, php_inter
 #define PHP_DATE_INTERVAL_READ_PROPERTY_I64(element, member) \
 	do { \
 		zval *z_arg = zend_hash_str_find(myht, element, sizeof(element) - 1); \
-		if (z_arg) { \
+		if (z_arg && Z_TYPE_P(z_arg) <= IS_STRING) { \
 			zend_string *str = zval_get_string(z_arg); \
 			DATE_A64I((*intobj)->diff->member, ZSTR_VAL(str)); \
 			zend_string_release(str); \
diff --git a/ext/date/tests/bug73091.phpt b/ext/date/tests/bug73091.phpt
new file mode 100644
index 0000000000..668ef505d8
--- /dev/null
+++ b/ext/date/tests/bug73091.phpt
@@ -0,0 +1,46 @@
+--TEST--
+Bug #73091 (Unserializing DateInterval object may lead to __toString invocation)
+--FILE--
+<?php
+class foo {
+    function __toString() {
+        var_dump(0);
+        return 'may be a bug';
+    }
+}
+    
+var_dump(unserialize('O:12:"DateInterval":1:{s:4:"days";O:3:"foo":0:{}}'));
+?>
+--EXPECTF--
+object(DateInterval)#%d (15) {
+  ["days"]=>
+  int(-1)
+  ["y"]=>
+  int(-1)
+  ["m"]=>
+  int(-1)
+  ["d"]=>
+  int(-1)
+  ["h"]=>
+  int(-1)
+  ["i"]=>
+  int(-1)
+  ["s"]=>
+  int(-1)
+  ["weekday"]=>
+  int(-1)
+  ["weekday_behavior"]=>
+  int(-1)
+  ["first_last_day_of"]=>
+  int(-1)
+  ["invert"]=>
+  int(0)
+  ["special_type"]=>
+  int(0)
+  ["special_amount"]=>
+  int(-1)
+  ["have_weekday_relative"]=>
+  int(0)
+  ["have_special_relative"]=>
+  int(0)
+}
-- 
2.50.1