From 8b47ed84b612efd095379b479db5945c64faadc1 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Wed, 26 Feb 2025 23:18:52 +0100
Subject: [PATCH] Fix RCn array modification violation with ArrayObject
 serialize

We seem to be assuming that the ArrayObject has exclusive access to the
underlying array value. The existing RC hacks seems peculiar and should
be investigated...

Fixes GH-17935
---
 Zend/tests/gh17935.phpt | 36 ++++++++++++++++++++++++++++++++++++
 ext/spl/spl_array.c     |  2 +-
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/gh17935.phpt

diff --git a/Zend/tests/gh17935.phpt b/Zend/tests/gh17935.phpt
new file mode 100644
index 0000000000000..3845d52505096
--- /dev/null
+++ b/Zend/tests/gh17935.phpt
@@ -0,0 +1,36 @@
+--TEST--
+GH-17935: RCn array modification violation with ArrayObject serialize
+--FILE--
+<?php
+
+$o = new ArrayObject();
+$o['a'] = 'a';
+$s = $o->__serialize();
+$o['b'] = 'b';
+var_dump($o, $s);
+
+?>
+--EXPECT--
+object(ArrayObject)#1 (1) {
+  ["storage":"ArrayObject":private]=>
+  array(2) {
+    ["a"]=>
+    string(1) "a"
+    ["b"]=>
+    string(1) "b"
+  }
+}
+array(4) {
+  [0]=>
+  int(0)
+  [1]=>
+  array(1) {
+    ["a"]=>
+    string(1) "a"
+  }
+  [2]=>
+  array(0) {
+  }
+  [3]=>
+  NULL
+}
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 10407bee6a1a8..4d0369e442078 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1774,7 +1774,7 @@ PHP_METHOD(ArrayObject, __serialize)
 	if (intern->ar_flags & SPL_ARRAY_IS_SELF) {
 		ZVAL_NULL(&tmp);
 	} else {
-		ZVAL_COPY(&tmp, &intern->array);
+		ZVAL_DUP(&tmp, &intern->array);
 	}
 	zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &tmp);