From ffdc5728c8d0c1cc31e2a13d1d7a03e85a85e7f0 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Wed, 25 Feb 2015 18:21:59 +0800
Subject: [PATCH] Fixed bug #69108 ("Segmentation fault" when (de)serializing
 SplObjectStorage)

---
 NEWS                        |  2 ++
 ext/spl/spl_observer.c      |  1 +
 ext/spl/tests/bug69108.phpt | 22 ++++++++++++++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 ext/spl/tests/bug69108.phpt

diff --git a/NEWS b/NEWS
index ef42a5e32e..f8d653fd5b 100644
--- a/NEWS
+++ b/NEWS
@@ -36,6 +36,8 @@ PHP                                                                        NEWS
     parameters). (Laruence)
 
 - SPL:
+  . Fixed bug #69108 ("Segmentation fault" when (de)serializing
+    SplObjectStorage). (Laruence)
   . Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after 
     calling getChildren()). (Julien)
 
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index a7f6132747..5e21088891 100644
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -782,6 +782,7 @@ SPL_METHOD(SplObjectStorage, serialize)
 	INIT_PZVAL(&members);
 	Z_ARRVAL(members) = zend_std_get_properties(getThis() TSRMLS_CC);
 	Z_TYPE(members) = IS_ARRAY;
+	zend_hash_del(Z_ARRVAL(members), "\x00gcdata", sizeof("\x00gcdata"));
 	pmembers = &members;
 	php_var_serialize(&buf, &pmembers, &var_hash TSRMLS_CC); /* finishes the string */
 
diff --git a/ext/spl/tests/bug69108.phpt b/ext/spl/tests/bug69108.phpt
new file mode 100644
index 0000000000..1829e9b2a2
--- /dev/null
+++ b/ext/spl/tests/bug69108.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #69108 ("Segmentation fault" when (de)serializing SplObjectStorage)
+--INI--
+zend.enable_gc=1
+--FILE--
+<?php
+$a = array();
+$b = new SplObjectStorage();
+for ($i = 10000; $i > 0; $i--) {
+	    $object = new StdClass();
+		    $a[] = $object;
+		    $b->attach($object);
+}
+
+$c = serialize(array($a, $b));
+$d = unserialize($c);
+
+unset($d);
+echo "ok";
+?>
+--EXPECT--
+ok
-- 
2.50.1