From 70ad93dd6e8ba2002773712b234c9378f3c10670 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 15 Sep 2022 22:36:07 +0200
Subject: [PATCH] Fix serialization of empty SplFixedArray

Avoid null pointer deref.
---
 ext/spl/spl_fixedarray.c                   | 15 +++++++++------
 ext/spl/tests/SplFixedArray_serialize.phpt |  6 ++++++
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
index a00bb8965af..cf304e738a4 100644
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -597,8 +597,9 @@ PHP_METHOD(SplFixedArray, __serialize)
 		RETURN_THROWS();
 	}
 
-	uint32_t property_num = zend_hash_num_elements(intern->std.properties);
-	array_init_size(return_value, intern->array.size + property_num);
+	uint32_t num_properties =
+		intern->std.properties ? zend_hash_num_elements(intern->std.properties) : 0;
+	array_init_size(return_value, intern->array.size + num_properties);
 
 	/* elements */
 	for (zend_long i = 0; i < intern->array.size; i++) {
@@ -608,10 +609,12 @@ PHP_METHOD(SplFixedArray, __serialize)
 	}
 
 	/* members */
-	ZEND_HASH_FOREACH_STR_KEY_VAL(intern->std.properties, key, current) {
-		zend_hash_add(Z_ARRVAL_P(return_value), key, current);
-		Z_TRY_ADDREF_P(current);
-	} ZEND_HASH_FOREACH_END();
+	if (intern->std.properties) {
+		ZEND_HASH_FOREACH_STR_KEY_VAL(intern->std.properties, key, current) {
+			zend_hash_add(Z_ARRVAL_P(return_value), key, current);
+			Z_TRY_ADDREF_P(current);
+		} ZEND_HASH_FOREACH_END();
+	}
 }
 
 PHP_METHOD(SplFixedArray, __unserialize)
diff --git a/ext/spl/tests/SplFixedArray_serialize.phpt b/ext/spl/tests/SplFixedArray_serialize.phpt
index da7c212109e..bf8cb897f7f 100644
--- a/ext/spl/tests/SplFixedArray_serialize.phpt
+++ b/ext/spl/tests/SplFixedArray_serialize.phpt
@@ -38,6 +38,9 @@ $array->__unserialize([
 ]);
 var_dump($array);
 
+var_dump($s = serialize(new SplFixedArray));
+var_dump(unserialize($s));
+
 ?>
 --EXPECTF--
 Deprecated: Creation of dynamic property SplFixedArray::$foo is deprecated in %s on line %d
@@ -71,3 +74,6 @@ object(SplFixedArray)#5 (1) {
   [0]=>
   NULL
 }
+string(25) "O:13:"SplFixedArray":0:{}"
+object(SplFixedArray)#1 (0) {
+}