Fix bug #66721

Add NULL check to php_date_parse_tzfile's retval

3 files changed, 19 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 25d093f50a..92b2961df8 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,10 @@ PHP                                                                        NEWS
   . Fixed bug #67024 (getimagesize should recognize BMP files with negative 
     height). (Gabor Buella)
 
+- Date:
+  . Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is
+    supplied). (Boro Sitnikovski)
+
 - Embed:
   . Fixed bug #65715 (php5embed.lib isn't provided anymore). (Anatol)
 
diff --git a/ext/date/php_date.c b/ext/date/php_date.c
index c0566334db..4a37961b02 100644
--- a/ext/date/php_date.c
+++ b/ext/date/php_date.c
@@ -2587,6 +2587,10 @@ static int php_date_initialize_from_hash(zval **return_value, php_date_obj **dat
 
 						tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC);
 
+						if (tzi == NULL) {
+							return 0;
+						}
+
 						ALLOC_INIT_ZVAL(tmp_obj);
 						tzobj = zend_object_store_get_object(php_date_instantiate(date_ce_timezone, tmp_obj TSRMLS_CC) TSRMLS_CC);
 						tzobj->type = TIMELIB_ZONETYPE_ID;
diff --git a/ext/date/tests/bug66721.phpt b/ext/date/tests/bug66721.phpt
new file mode 100644
index 0000000000..4806712437
--- /dev/null
+++ b/ext/date/tests/bug66721.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Test for bug #66721: __wakeup of DateTime segfaults when invalid object data is supplied
+--CREDITS--
+Boro Sitnikovski <buritomath@yahoo.com>
+--FILE--
+<?php
+$y = 'O:8:"DateTime":3:{s:4:"date";s:19:"2014-02-15 02:00:51";s:13:"timezone_type";i:3;s:8:"timezone";s:10:"1234567890";}';
+var_dump(unserialize($y));
+?>
+--EXPECTF--
+Fatal error: Invalid serialization data for DateTime object in %s on line %d