From 5f13c62c77cb2b886dbd294926c885d8fd441af7 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Tue, 17 Dec 2024 22:05:07 +0100
Subject: [PATCH] Fix GH-17198: SplFixedArray assertion failure with
 get_object_vars

Because the properties table contains both a numeric index and a string
index that map to 0 in a symbol table, this causes an assertion failure.
Looking at the manual page of get_object_vars(), it seems that only real
properties must be included. Given that SplFixedArray's elements are not
accessible like properties, they should be excluded. This restores PHP
8.3 behaviour. The reason that this didn't cause problems on 8.3 is
because it used a different handler (get_properties).

Closes GH-17206.
---
 NEWS                       |  4 ++++
 ext/spl/spl_fixedarray.c   | 10 +++++++---
 ext/spl/tests/gh17198.phpt | 17 +++++++++++++++++
 3 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 ext/spl/tests/gh17198.phpt

diff --git a/NEWS b/NEWS
index 70dc8504ea6..6a421604b83 100644
--- a/NEWS
+++ b/NEWS
@@ -75,6 +75,10 @@ PHP                                                                        NEWS
     on SO_SNDTIMEO/SO_RCVTIMEO for socket_set_option().
     (David Carlier)
 
+- SPL:
+  . Fixed bug GH-17198 (SplFixedArray assertion failure with get_object_vars).
+    (nielsdos)
+
 - Streams:
   . Fixed bug GH-17037 (UAF in user filter when adding existing filter name due
     to incorrect error handling). (nielsdos)
diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
index 5d7949308a3..b919501c0dd 100644
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -239,10 +239,14 @@ static HashTable* spl_fixedarray_object_get_properties_for(zend_object *obj, zen
 	zval *const elements = intern->array.elements;
 	HashTable *ht = zend_new_array(size);
 
-	for (zend_long i = 0; i < size; i++) {
-		Z_TRY_ADDREF_P(&elements[i]);
-		zend_hash_next_index_insert(ht, &elements[i]);
+	/* The array elements are not *real properties*. */
+	if (purpose != ZEND_PROP_PURPOSE_GET_OBJECT_VARS) {
+		for (zend_long i = 0; i < size; i++) {
+			Z_TRY_ADDREF_P(&elements[i]);
+			zend_hash_next_index_insert(ht, &elements[i]);
+		}
 	}
+
 	if (source_properties && zend_hash_num_elements(source_properties) > 0) {
 		zend_long nkey;
 		zend_string *skey;
diff --git a/ext/spl/tests/gh17198.phpt b/ext/spl/tests/gh17198.phpt
new file mode 100644
index 00000000000..8bc652d49ef
--- /dev/null
+++ b/ext/spl/tests/gh17198.phpt
@@ -0,0 +1,17 @@
+--TEST--
+GH-17198 (SplFixedArray assertion failure with get_object_vars)
+--FILE--
+<?php
+#[AllowDynamicProperties]
+class MySplFixedArray extends SplFixedArray {
+}
+$array = new MySplFixedArray(2);
+$array->{0} = [];
+var_dump(get_object_vars($array));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  array(0) {
+  }
+}