Fixed bug #78409

This removes an incorrect optimization (I think this code used to be
necessary to properly handle references in the Serializable based
implementation, but now this code just avoids an array duplication
in a way that is not sound).

Author: nikic

NEWS

@@ -21,6 +21,10 @@ PHP                                                                        NEWS
   . Fixed bug #78410 (Cannot "manually" unserialize class that is final and
     extends an internal one). (Nikita)
 
+- SPL:
+  . Fixed bug #78409 (Segfault when creating instance of ArrayIterator without
+    constructor). (Nikita)
+
 08 Aug 2019, PHP 7.4.0beta2
 
 - Core:

ext/spl/spl_array.c

@@ -1875,11 +1875,6 @@ SPL_METHOD(Array, __unserialize)
 	if (flags & SPL_ARRAY_IS_SELF) {
 		zval_ptr_dtor(&intern->array);
 		ZVAL_UNDEF(&intern->array);
-	} else if (Z_TYPE_P(storage_zv) == IS_ARRAY) {
-		zval_ptr_dtor(&intern->array);
-		ZVAL_COPY_VALUE(&intern->array, storage_zv);
-		ZVAL_NULL(storage_zv);
-		SEPARATE_ARRAY(&intern->array);
 	} else {
 		spl_array_set_array(ZEND_THIS, intern, storage_zv, 0L, 1);
 	}

ext/spl/tests/bug78409.phpt

@@ -0,0 +1,26 @@
+--TEST--
+Bug #78409: Segfault when creating instance of ArrayIterator without constructor
+--FILE--
+<?php
+
+$a = new ArrayObject;
+$u = [
+    0,
+    [],
+    [],
+];
+$a->__unserialize($u);
+var_dump($u);
+
+?>
+--EXPECT--
+array(3) {
+  [0]=>
+  int(0)
+  [1]=>
+  array(0) {
+  }
+  [2]=>
+  array(0) {
+  }
+}