Fix leak in SplObjectStorage unserialization

The result of php_var_unserialize always needs to be destroyed,
even if the call failed.

2 files changed, 18 insertions, 0 deletions

diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index e4342a8788..adf59128a1 100644
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -804,12 +804,14 @@ SPL_METHOD(SplObjectStorage, unserialize)
 		}
 		/* store reference to allow cross-references between different elements */
 		if (!php_var_unserialize(&entry, &p, s + buf_len, &var_hash)) {
+			zval_ptr_dtor(&entry);
 			goto outexcept;
 		}
 		if (*p == ',') { /* new version has inf */
 			++p;
 			if (!php_var_unserialize(&inf, &p, s + buf_len, &var_hash)) {
 				zval_ptr_dtor(&entry);
+				zval_ptr_dtor(&inf);
 				goto outexcept;
 			}
 		}
diff --git a/ext/standard/tests/serialize/unserialize_leak.phpt b/ext/standard/tests/serialize/unserialize_leak.phpt
new file mode 100644
index 0000000000..383bcfc075
--- /dev/null
+++ b/ext/standard/tests/serialize/unserialize_leak.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Unserialize leak in SplObjectStorage
+--FILE--
+<?php
+
+$payload = 'C:16:"SplObjectStorage":113:{x:i:2;O:8:"stdClass":1:{},a:2:{s:4:"prev";i:2;s:4:"next";O:8:"stdClass":0:{}};r:7;,R:2;s:4:"next";;r:3;};m:a:0:{}}';
+try {
+    var_dump(unserialize($payload));
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECTF--
+Notice: SplObjectStorage::unserialize(): Unexpected end of serialized data in %s on line %d
+Error at offset 24 of 113 bytes