From b15189f4d8af396cc5731a7b7eaeb0791cf0bced Mon Sep 17 00:00:00 2001 From: CHU Zhaowei Date: Wed, 19 Dec 2018 16:53:48 +0100 Subject: [PATCH] Fix #77298: segfault occurs when add property to unserialized empty ArrayObject --- NEWS | 4 ++++ ext/spl/spl_array.c | 4 +++- ext/spl/tests/bug77298.phpt | 28 ++++++++++++++++++++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 ext/spl/tests/bug77298.phpt diff --git a/NEWS b/NEWS index e9761f2472..bedf39e93a 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 7.3.2 +- SPL: + . Fixed bug #77298 (segfault occurs when add property to unserialized empty + ArrayObject). (jhdxr) + 03 Jan 2019, PHP 7.3.1 - Core: diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 63345e6e33..9b11782147 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -1842,7 +1842,9 @@ SPL_METHOD(Array, unserialize) if (Z_TYPE_P(array) == IS_ARRAY) { zval_ptr_dtor(&intern->array); - ZVAL_COPY(&intern->array, array); + ZVAL_COPY_VALUE(&intern->array, array); + ZVAL_NULL(array); + SEPARATE_ARRAY(&intern->array); } else { spl_array_set_array(object, intern, array, 0L, 1); } diff --git a/ext/spl/tests/bug77298.phpt b/ext/spl/tests/bug77298.phpt new file mode 100644 index 0000000000..46eab670ff --- /dev/null +++ b/ext/spl/tests/bug77298.phpt @@ -0,0 +1,28 @@ +--TEST-- +Bug #77298 (segfault occurs when add property to unserialized ArrayObject) +--FILE-- +unserialize($o->serialize()); +$o3['xm']=456; +var_dump($o3); +--EXPECT-- +object(ArrayObject)#2 (1) { + ["storage":"ArrayObject":private]=> + array(1) { + [1]=> + int(123) + } +} +object(ArrayObject)#3 (1) { + ["storage":"ArrayObject":private]=> + array(1) { + ["xm"]=> + int(456) + } +} \ No newline at end of file -- 2.50.0