Fixed bug #72229 (Wrong reference when serialize/unserialize an object)

laruence · laruence · commit 7989db975f32 · 2016-05-17T17:40:26.000+08:00
diff --git a/NEWS b/NEWS
@@ -21,6 +21,8 @@ PHP                                                                        NEWS
   . Fixed bug #72197 (pg_lo_create arbitrary read). (Anatol)
 
 - Standard:
+  . Fixed bug #72229 (Wrong reference when serialize/unserialize an object).
+    (Laruence)
   . Fixed bug #72193 (dns_get_record returns array containing elements of
     type 'unknown'). (Laruence)
   . Fixed bug #72017 (range() with float step produces unexpected result).
diff --git a/ext/standard/tests/serialize/bug72229.phpt b/ext/standard/tests/serialize/bug72229.phpt
@@ -0,0 +1,53 @@
+--TEST--
+Bug #72229 (Wrong reference when serialize/unserialize an object)
+--FILE--
+<?php
+class C1
+{
+    public $arr1 = array();
+    public $arr2 = array();
+    public function __construct()
+    {
+        $this->arr1[0] = $this;
+        $this->arr2[0] = $this->arr1[0];
+        $var1 = &$this->arr1[0];  // Set a reference...
+        unset($var1);             // ... and unset it. 
+    }
+}
+$Obj1 = new C1();
+$txt1 = serialize($Obj1);
+$Obj2 = unserialize($txt1);
+$Obj1->arr2[0] = 50;
+print_r($Obj1);
+$Obj2->arr2[0] = 50;
+print_r($Obj2);
+?>
+--EXPECTF--
+C1 Object
+(
+    [arr1] => Array
+        (
+            [0] => C1 Object
+ *RECURSION*
+        )
+
+    [arr2] => Array
+        (
+            [0] => 50
+        )
+
+)
+C1 Object
+(
+    [arr1] => Array
+        (
+            [0] => C1 Object
+ *RECURSION*
+        )
+
+    [arr2] => Array
+        (
+            [0] => 50
+        )
+
+)
diff --git a/ext/standard/var.c b/ext/standard/var.c
@@ -957,6 +957,10 @@ static void php_var_serialize_intern(smart_str *buf, zval *struc, php_serialize_
 						php_var_serialize_string(buf, ZSTR_VAL(key), ZSTR_LEN(key));
 					}
 
+					if (Z_ISREF_P(data) && Z_REFCOUNT_P(data) == 1) {
+						ZVAL_UNREF(data);
+					}
+
 					/* we should still add element even if it's not OK,
 					 * since we already wrote the length of the array before */
 					if ((Z_TYPE_P(data) == IS_ARRAY && Z_TYPE_P(struc) == IS_ARRAY && Z_ARR_P(data) == Z_ARR_P(struc))
