php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.5'

Browse Source 
* PHP-8.5:
  Fix GH-20614: SplFixedArray incorrectly handles references in deserialization
This commit is contained in:
Niels Dossche
2025-11-30 10:43:52 +01:00
parent 157864af49 6afe2cef78
commit 1848bcddfd
2 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ext/spl/spl_fixedarray.c
View File

@@ -635,7 +635,7 @@ PHP_METHOD(SplFixedArray, __unserialize)
intern->array.size = 0;
ZEND_HASH_FOREACH_STR_KEY_VAL(data, key, elem) {
if (key == NULL) {
ZVAL_COPY(&intern->array.elements[intern->array.size], elem);
ZVAL_COPY_DEREF(&intern->array.elements[intern->array.size], elem);
intern->array.size++;
} else {
Z_TRY_ADDREF_P(elem);
@@ -822,7 +822,7 @@ PHP_METHOD(SplFixedArray, offsetGet)
value = spl_fixedarray_object_read_dimension_helper(intern, zindex);
if (value) {
RETURN_COPY_DEREF(value);
RETURN_COPY(value);
} else {
RETURN_NULL();
}

23
ext/spl/tests/gh20614.phpt Normal file
View File

@@ -0,0 +1,23 @@
--TEST--
GH-20614 (SplFixedArray incorrectly handles references in deserialization)
--FILE--
<?php
$fa = new SplFixedArray(0);
$nr = 1;
$array = [&$nr];
$fa->__unserialize($array);
var_dump($fa);
unset($fa[0]);
var_dump($fa);
?>
--EXPECT--
object(SplFixedArray)#1 (1) {
[0]=>
int(1)
}
object(SplFixedArray)#1 (1) {
[0]=>
NULL
}