Fix #73529: session_decode() silently fails on wrong input

The `php_serialize` decode function has to return `FAILURE`, if the
unserialization failed on anything but an empty string.

The `php` decode function has also to return `FAILURE`, if there is
trailing garbage in the string.

Author: cmb69

NEWS

@@ -149,6 +149,7 @@ PHP                                                                        NEWS
 - Session:
   . Fixed bug #78624 (session_gc return value for user defined session
     handlers). (bshaffer)
+  . Fixed bug #73529 (session_decode() silently fails on wrong input). (cmb)
 
 - SimpleXML:
   . Fixed bug #75245 (Don't set content of elements with only whitespaces).

ext/session/session.c

@@ -873,7 +873,7 @@ PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */
 	Z_ADDREF_P(&PS(http_session_vars));
 	zend_hash_update_ind(&EG(symbol_table), var_name, &PS(http_session_vars));
 	zend_string_release_ex(var_name, 0);
-	return SUCCESS;
+	return result || !vallen ? SUCCESS : FAILURE;
 }
 /* }}} */
 
@@ -990,7 +990,10 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
 	while (p < endptr) {
 		q = p;
 		while (*q != PS_DELIMITER) {
-			if (++q >= endptr) goto break_outer_loop;
+			if (++q >= endptr) {
+				retval = FAILURE;
+				goto break_outer_loop;
+			}
 		}
 
 		namelen = q - p;

ext/session/tests/bug73529.phpt

@@ -1,16 +1,15 @@
 --TEST--
 Bug #73529 session_decode() silently fails on wrong input
---XFAIL--
-session_decode() does not return proper status.
 --SKIPIF--
 <?php include('skipif.inc'); ?>
 --FILE--
 <?php
+ob_start();
 
 ini_set("session.serialize_handler", "php_serialize");
 session_start();
 
-$result1 = session_decode(serialize(["foo" => "bar"]));
+$result1 = session_decode('foo|s:3:"bar";');
 $session1 = $_SESSION;
 session_destroy();
 
@@ -21,17 +20,24 @@ $result2 = session_decode(serialize(["foo" => "bar"]));
 $session2 = $_SESSION;
 session_destroy();
 
+echo ob_get_clean();
+
 var_dump($result1);
 var_dump($session1);
 var_dump($result2);
 var_dump($session2);
 
 ?>
---EXPECT--
-bool(true)
-array(1) {
-  ["foo"]=>
-  string(3) "bar"
+--EXPECTF--
+Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
+
+Warning: session_destroy(): Trying to destroy uninitialized session in %s on line %d
+
+Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
+
+Warning: session_destroy(): Trying to destroy uninitialized session in %s on line %d
+bool(false)
+array(0) {
 }
 bool(false)
 array(0) {