Merge branch 'PHP-8.5'

* PHP-8.5: Fix shm corruption with coercion in options of unserialize()
2026-03-24 00:02:20 +01:00 · 2025-10-13 21:45:34 +02:00
parent aab5045a5b ff86c593a2
commit f30f358f02
2 changed files with 18 additions and 3 deletions
--- a/ext/standard/tests/serialize/shm_corruption_coercion_unserialize_options.phpt
+++ b/ext/standard/tests/serialize/shm_corruption_coercion_unserialize_options.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Shm corruption with coercion in options of unserialize()
+--FILE--
+<?php
+class MyStringable {
+    public function __toString(): string {
+        return "0";
+    }
+}
+
+unserialize("{}", ["allowed_classes" => [new MyStringable]]);
+?>
+--EXPECTF--
+Warning: unserialize(): Error at offset 0 of 2 bytes in %s on line %d
--- a/ext/standard/var.c
+++ b/ext/standard/var.c
@@ -1415,19 +1415,20 @@ PHPAPI void php_unserialize_with_options(zval *return_value, const char *buf, co
 						function_name, zend_zval_value_name(entry));
 					goto cleanup;
 				}
-				zend_string *name = zval_try_get_string(entry);
+				zend_string *tmp_str;
+				zend_string *name = zval_try_get_tmp_string(entry, &tmp_str);
 				if (UNEXPECTED(name == NULL)) {
 					goto cleanup;
 				}
 				if (UNEXPECTED(!zend_is_valid_class_name(name))) {
 					zend_value_error("%s(): Option \"allowed_classes\" must be an array of class names, \"%s\" given", function_name, ZSTR_VAL(name));
-					zend_string_release_ex(name, false);
+					zend_tmp_string_release(tmp_str);
 					goto cleanup;
 				}
 				zend_string *lcname = zend_string_tolower(name);
 				zend_hash_add_empty_element(class_hash, lcname);
-		        zend_string_release_ex(name, false);
 		        zend_string_release_ex(lcname, false);
+		        zend_tmp_string_release(tmp_str);
 			} ZEND_HASH_FOREACH_END();
 		}
 		php_var_unserialize_set_allowed_classes(var_hash, class_hash);