Merge branch 'PHP-5.6' into PHP-7.0

NEWS

@@ -43,8 +43,11 @@ PHP                                                                        NEWS
     set). (cmb)
 
 - Standard:
-  . Fixed bug #73594 (dns_get_record does not populate $additional out parameter).
-    (Bruce Weirdan)
+  . Fixed bug #73594 (dns_get_record does not populate $additional out
+    parameter). (Bruce Weirdan)
+  . Fixed bug #70213 (Unserialize context shared on double class lookup).
+    (Taoguang Chen)
+
 
 - Zlib:
   . Fixed bug #73373 (deflate_add does not verify that output was not truncated).

ext/standard/tests/serialize/bug70213.phpt

@@ -0,0 +1,30 @@
+--TEST--
+Bug #70213: Unserialize context shared on double class lookup
+--FILE--
+<?php
+
+ini_set('unserialize_callback_func', 'evil');
+
+function evil() {
+	function __autoload($arg) {
+        var_dump(unserialize('R:1;'));
+    }
+}
+
+var_dump(unserialize('a:2:{i:0;i:42;i:1;O:4:"evil":0:{}}'));
+
+?>
+--EXPECTF--
+Notice: unserialize(): Error at offset 4 of 4 bytes in %s on line %d
+bool(false)
+
+Warning: unserialize(): Function evil() hasn't defined the class it was called for in %s on line %d
+array(2) {
+  [0]=>
+  int(42)
+  [1]=>
+  object(__PHP_Incomplete_Class)#1 (1) {
+    ["__PHP_Incomplete_Class_Name"]=>
+    string(4) "evil"
+  }
+}

ext/standard/var_unserializer.re

@@ -876,11 +876,13 @@ object ":" uiv ":" ["]	{
 		}
 
 		/* The callback function may have defined the class */
+		BG(serialize_lock)++;
 		if ((ce = zend_lookup_class(class_name)) == NULL) {
 			php_error_docref(NULL, E_WARNING, "Function %s() hasn't defined the class it was called for", Z_STRVAL(user_func));
 			incomplete_class = 1;
 			ce = PHP_IC_ENTRY;
 		}
+		BG(serialize_lock)--;
 
 		zval_ptr_dtor(&user_func);
 		zval_ptr_dtor(&args[0]);