Fix #77298: segfault occurs when add property to unserialized empty ArrayObject

jhdxr · cmb69 · commit b15189f4d8af · 2018-12-21T17:45:52.000+01:00
diff --git a/NEWS b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.3.2
 
+- SPL:
+  . Fixed bug #77298 (segfault occurs when add property to unserialized empty
+    ArrayObject). (jhdxr)
+
 03 Jan 2019, PHP 7.3.1
 
 - Core:
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
@@ -1842,7 +1842,9 @@ SPL_METHOD(Array, unserialize)
 
 		if (Z_TYPE_P(array) == IS_ARRAY) {
 			zval_ptr_dtor(&intern->array);
-			ZVAL_COPY(&intern->array, array);
+			ZVAL_COPY_VALUE(&intern->array, array);
+			ZVAL_NULL(array);
+			SEPARATE_ARRAY(&intern->array);
 		} else {
 			spl_array_set_array(object, intern, array, 0L, 1);
 		}
diff --git a/ext/spl/tests/bug77298.phpt b/ext/spl/tests/bug77298.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Bug #77298 (segfault occurs when add property to unserialized ArrayObject)
+--FILE--
+<?php
+$o = new ArrayObject();
+$o2 = unserialize(serialize($o));
+$o2[1]=123;
+var_dump($o2);
+
+$o3 = new ArrayObject();
+$o3->unserialize($o->serialize());
+$o3['xm']=456;
+var_dump($o3);
+--EXPECT--
+object(ArrayObject)#2 (1) {
+  ["storage":"ArrayObject":private]=>
+  array(1) {
+    [1]=>
+    int(123)
+  }
+}
+object(ArrayObject)#3 (1) {
+  ["storage":"ArrayObject":private]=>
+  array(1) {
+    ["xm"]=>
+    int(456)
+  }
+}
