From 4fed57e7464cb4bcbf7ee2acf515156b3ab53d8f Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sat, 4 Oct 2025 14:59:27 +0200
Subject: [PATCH] Fix GH-20043: array_unique assertion failure with RC1 array
 causing an exception on sort

The reason this happens is because the array_unique operation happens in-place
because the input array is RC1.
At one point during comparison an exception is thrown which will capture the
arguments in the backtrace, which will increment the refcount of the RC1 array
to 2. Then a modification happens after the throw on the RC2 array causing the
assertion failure.
We shouldn't try continue work after an exception happened during the sort.

Closes GH-20059.
---
 NEWS                                  |  2 ++
 ext/standard/array.c                  |  7 +++++++
 ext/standard/tests/array/gh20043.phpt | 12 ++++++++++++
 3 files changed, 21 insertions(+)
 create mode 100644 ext/standard/tests/array/gh20043.phpt

diff --git a/NEWS b/NEWS
index 2789d02634c..c25c1922f8b 100644
--- a/NEWS
+++ b/NEWS
@@ -54,6 +54,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-19701 (Serialize/deserialize loses some data). (nielsdos)
   . Fixed bug GH-19801 (leaks in var_dump() and debug_zval_dump()).
     (alexandre-daubois)
+  . Fixed bug GH-20043 (array_unique assertion failure with RC1 array
+    causing an exception on sort). (nielsdos)
 
 - Streams:
   . Fixed bug GH-19248 (Use strerror_r instead of strerror in main).
diff --git a/ext/standard/array.c b/ext/standard/array.c
index f0a81b5ba89..b7b5f82d61c 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -4900,6 +4900,11 @@ PHP_FUNCTION(array_unique)
 	ZVAL_UNDEF(&arTmp[i].b.val);
 	zend_sort((void *) arTmp, i, sizeof(struct bucketindex),
 			(compare_func_t) cmp, (swap_func_t) array_bucketindex_swap);
+
+	if (UNEXPECTED(EG(exception))) {
+		goto out;
+	}
+
 	/* go through the sorted array and delete duplicates from the copy */
 	lastkept = arTmp;
 	for (cmpdata = arTmp + 1; Z_TYPE(cmpdata->b.val) != IS_UNDEF; cmpdata++) {
@@ -4919,6 +4924,8 @@ PHP_FUNCTION(array_unique)
 			}
 		}
 	}
+
+out:
 	pefree(arTmp, GC_FLAGS(Z_ARRVAL_P(array)) & IS_ARRAY_PERSISTENT);
 
 	if (in_place) {
diff --git a/ext/standard/tests/array/gh20043.phpt b/ext/standard/tests/array/gh20043.phpt
new file mode 100644
index 00000000000..d5c7e06417f
--- /dev/null
+++ b/ext/standard/tests/array/gh20043.phpt
@@ -0,0 +1,12 @@
+--TEST--
+GH-20043 (array_unique assertion failure with RC1 array causing an exception on sort)
+--FILE--
+<?php
+try {
+	array_unique([new stdClass, new stdClass], SORT_STRING | SORT_FLAG_CASE);
+} catch (Error $e) {
+	echo $e->getMessage();
+}
+?>
+--EXPECT--
+Object of class stdClass could not be converted to string