From 88f8c5c0bb2a1917934abb1a2d4946cd35052da3 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Fri, 10 Oct 2025 23:22:54 +0200
Subject: [PATCH] Fix shm corruption with coercion in options of unserialize()

Closes GH-20129.
---
 NEWS                                                      | 3 +++
 .../shm_corruption_coercion_unserialize_options.phpt      | 8 ++++++++
 ext/standard/var.c                                        | 7 ++++---
 3 files changed, 15 insertions(+), 3 deletions(-)
 create mode 100644 ext/standard/tests/serialize/shm_corruption_coercion_unserialize_options.phpt

diff --git a/NEWS b/NEWS
index b40e46298d9..81bae73f498 100644
--- a/NEWS
+++ b/NEWS
@@ -41,6 +41,9 @@ PHP                                                                        NEWS
   . Partially fixed bug GH-16317 (SimpleXML does not allow __debugInfo() overrides
     to work). (nielsdos)
 
+- Standard:
+  . Fix shm corruption with coercion in options of unserialize(). (nielsdos)
+
 - XMLReader:
   . Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available.
     (nielsdos)
diff --git a/ext/standard/tests/serialize/shm_corruption_coercion_unserialize_options.phpt b/ext/standard/tests/serialize/shm_corruption_coercion_unserialize_options.phpt
new file mode 100644
index 00000000000..530171b7bde
--- /dev/null
+++ b/ext/standard/tests/serialize/shm_corruption_coercion_unserialize_options.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Shm corruption with coercion in options of unserialize()
+--FILE--
+<?php
+unserialize("{}", ["allowed_classes" => [0]]);
+?>
+--EXPECTF--
+Warning: unserialize(): Error at offset 0 of 2 bytes in %s on line %d
diff --git a/ext/standard/var.c b/ext/standard/var.c
index 795fb366c60..d1ae076992d 100644
--- a/ext/standard/var.c
+++ b/ext/standard/var.c
@@ -1366,13 +1366,14 @@ PHPAPI void php_unserialize_with_options(zval *return_value, const char *buf, co
 		}
 		if(class_hash && Z_TYPE_P(classes) == IS_ARRAY) {
 			zval *entry;
-			zend_string *lcname;
+			zend_string *lcname, *tmp_str, *str;
 
 			ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(classes), entry) {
-				convert_to_string(entry);
-				lcname = zend_string_tolower(Z_STR_P(entry));
+				str = zval_get_tmp_string(entry, &tmp_str);
+				lcname = zend_string_tolower(str);
 				zend_hash_add_empty_element(class_hash, lcname);
 		        zend_string_release_ex(lcname, 0);
+				zend_tmp_string_release(tmp_str);
 			} ZEND_HASH_FOREACH_END();
 
 			/* Exception during string conversion. */