From c3376bf7aebe193185ee5970b9d1e7f56f8c15d6 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 16 Sep 2019 14:37:16 +0200
Subject: [PATCH] Fix use-after-free due to packed->mixed conversion with
 __unserialize()

---
 ext/standard/tests/serialize/__serialize_007.phpt | 15 +++++++++++++++
 ext/standard/var_unserializer.re                  |  2 ++
 2 files changed, 17 insertions(+)
 create mode 100644 ext/standard/tests/serialize/__serialize_007.phpt

diff --git a/ext/standard/tests/serialize/__serialize_007.phpt b/ext/standard/tests/serialize/__serialize_007.phpt
new file mode 100644
index 0000000000..32cad44dba
--- /dev/null
+++ b/ext/standard/tests/serialize/__serialize_007.phpt
@@ -0,0 +1,15 @@
+--TEST--
+No packed -> mixed reallocation while populating __unserialize() array
+--FILE--
+<?php
+
+$payload = 'O:13:"ArrayIterator":2:{i:0;i:0;s:1:"x";R:2;}';
+try {
+    var_dump(unserialize($payload));
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Incomplete or ill-typed serialization data
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index fcc68dc431..1c0eaf6216 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -651,6 +651,8 @@ static inline int object_common(UNSERIALIZE_PARAMETER, zend_long elements, zend_
 		}
 
 		array_init_size(&ary, elements);
+		/* Avoid reallocation due to packed -> mixed conversion. */
+		zend_hash_real_init_mixed(Z_ARRVAL(ary));
 		if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_ARRVAL(ary), elements, NULL)) {
 			ZVAL_DEREF(rval);
 			GC_ADD_FLAGS(Z_OBJ_P(rval), IS_OBJ_DESTRUCTOR_CALLED);
-- 
2.50.0