FIx bug #70213

NEWS

@@ -13,6 +13,10 @@ PHP                                                                        NEWS
   . Reverted fix for bug #73530	(Unsetting result set may reset other result
     set). (cmb)
 
+- Standard:
+  . Fixed bug #70213 (Unserialize context shared on double class lookup).
+    (Taoguang Chen)
+
 08 Dec 2016, PHP 5.6.29
 
 - Mbstring:

ext/standard/tests/serialize/bug70213.phpt

@@ -0,0 +1,30 @@
+--TEST--
+Bug #70213: Unserialize context shared on double class lookup
+--FILE--
+<?php
+
+ini_set('unserialize_callback_func', 'evil');
+
+function evil() {
+	function __autoload($arg) {
+        var_dump(unserialize('R:1;'));
+    }
+}
+
+var_dump(unserialize('a:2:{i:0;i:42;i:1;O:4:"evil":0:{}}'));
+
+?>
+--EXPECTF--
+Notice: unserialize(): Error at offset 4 of 4 bytes in %s on line %d
+bool(false)
+
+Warning: unserialize(): Function evil() hasn't defined the class it was called for in %s on line %d
+array(2) {
+  [0]=>
+  int(42)
+  [1]=>
+  object(__PHP_Incomplete_Class)#1 (1) {
+    ["__PHP_Incomplete_Class_Name"]=>
+    string(4) "evil"
+  }
+}

ext/standard/var_unserializer.re

@@ -815,6 +815,7 @@ object ":" uiv ":" ["]	{
 		}
 
 		/* The callback function may have defined the class */
+		BG(serialize_lock)++;
 		if (zend_lookup_class(class_name, len2, &pce TSRMLS_CC) == SUCCESS) {
 			ce = *pce;
 		} else {
@@ -822,6 +823,7 @@ object ":" uiv ":" ["]	{
 			incomplete_class = 1;
 			ce = PHP_IC_ENTRY;
 		}
+		BG(serialize_lock)--;
 
 		zval_ptr_dtor(&user_func);
 		zval_ptr_dtor(&arg_func_name);