From c5fa7696e64455a8b23f00985a3bad61ebc062e7 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Wed, 8 Oct 2025 09:31:00 +0200 Subject: [PATCH] Fix Randomizer::__serialize() wrt INDIRECTs First follow-up to GH-20102. INDIRECTs must never get exposed to userland. The simple solution is to duplicate the properties array. Closes GH-20103. --- NEWS | 3 +++ ext/random/randomizer.c | 3 +-- .../methods/__serialize_indirects.phpt | 18 ++++++++++++++++++ 3 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 ext/random/tests/03_randomizer/methods/__serialize_indirects.phpt diff --git a/NEWS b/NEWS index b2b8aaacf15..12ccb411bb5 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,9 @@ PHP NEWS . Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on reference). (nielsdos) +- Random: + . Fix Randomizer::__serialize() w.r.t. INDIRECTs. (nielsdos) + 23 Oct 2025, PHP 8.3.27 - Core: diff --git a/ext/random/randomizer.c b/ext/random/randomizer.c index fe9ad5fc35a..6254fe27c9c 100644 --- a/ext/random/randomizer.c +++ b/ext/random/randomizer.c @@ -468,8 +468,7 @@ PHP_METHOD(Random_Randomizer, __serialize) ZEND_PARSE_PARAMETERS_NONE(); array_init(return_value); - ZVAL_ARR(&t, zend_std_get_properties(&randomizer->std)); - Z_TRY_ADDREF(t); + ZVAL_ARR(&t, zend_array_dup(zend_std_get_properties(&randomizer->std))); zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &t); } /* }}} */ diff --git a/ext/random/tests/03_randomizer/methods/__serialize_indirects.phpt b/ext/random/tests/03_randomizer/methods/__serialize_indirects.phpt new file mode 100644 index 00000000000..1207e18dd82 --- /dev/null +++ b/ext/random/tests/03_randomizer/methods/__serialize_indirects.phpt @@ -0,0 +1,18 @@ +--TEST-- +Random: Engine: __serialize() must not expose INDIRECTs +--FILE-- +__serialize()); + +?> +--EXPECT-- +array(1) { + [0]=> + array(1) { + ["engine"]=> + object(Random\Engine\Secure)#2 (0) { + } + } +}