From b2b7519b6e6e0f8d6243b166c8c92455e412b734 Mon Sep 17 00:00:00 2001
From: Martin Hoch <martin@littlerobot.de>
Date: Tue, 23 May 2023 17:39:17 +0200
Subject: [PATCH] serialize: Fixed handling of nested object references

The removed if in var.c caused serialize to not handle object references
correctly under certain circumstances.

See tests/serialize/serialization_objects_019.phpt

The bug was originally introduced in commit 6c5942f, and the problematic
line was last modified in commit bb0b4eb9. (Fixes oss-fuzz #44954)

The testcase from bb0b4eb9 still passes.
---
 .../serialize/serialization_objects_019.phpt    | 17 +++++++++++++++++
 ext/standard/var.c                              |  2 --
 2 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 ext/standard/tests/serialize/serialization_objects_019.phpt

diff --git a/ext/standard/tests/serialize/serialization_objects_019.phpt b/ext/standard/tests/serialize/serialization_objects_019.phpt
new file mode 100644
index 0000000000000..505fc3d9af739
--- /dev/null
+++ b/ext/standard/tests/serialize/serialization_objects_019.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Object serialization with references
+--FILE--
+<?php
+function gen() {
+    $s = new stdClass;
+    $r = new stdClass;
+    $r->a = [$s];
+    $r->b = $r->a;
+    return $r;
+}
+var_dump(serialize(gen()));
+?>
+--EXPECTF--
+string(78) "O:8:"stdClass":2:{s:1:"a";a:1:{i:0;O:8:"stdClass":0:{}}s:1:"b";a:1:{i:0;r:3;}}"
+
+
diff --git a/ext/standard/var.c b/ext/standard/var.c
index c429763eb9c86..641e0275f5a03 100644
--- a/ext/standard/var.c
+++ b/ext/standard/var.c
@@ -666,8 +666,6 @@ static inline zend_long php_add_var_hash(php_serialize_data_t data, zval *var) /
 		/* pass */
 	} else if (Z_TYPE_P(var) != IS_OBJECT) {
 		return 0;
-	} else if (Z_REFCOUNT_P(var) == 1 && (Z_OBJ_P(var)->properties == NULL || GC_REFCOUNT(Z_OBJ_P(var)->properties) == 1)) {
-		return 0;
 	}
 
 	/* References to objects are treated as if the reference didn't exist */