Fix signed integer overflow in SplObjectStorage unserialization

If count is ZEND_LONG_MIN the count-- loop underflows. This is
ultimately harmless, but results in a ubsan warning.

Fix this by adding a sanity check that the count isn't negative,
because that doesn't make sense...

2 files changed, 18 insertions, 0 deletions

diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index adf59128a1..605a9234d1 100644
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -787,6 +787,9 @@ SPL_METHOD(SplObjectStorage, unserialize)
 
 	--p; /* for ';' */
 	count = Z_LVAL_P(pcount);
+	if (count < 0) {
+		goto outexcept;
+	}
 
 	ZVAL_UNDEF(&entry);
 	ZVAL_UNDEF(&inf);
diff --git a/ext/standard/tests/serialize/splobjectstorage_negative_count.phpt b/ext/standard/tests/serialize/splobjectstorage_negative_count.phpt
new file mode 100644
index 0000000000..4dda491a8b
--- /dev/null
+++ b/ext/standard/tests/serialize/splobjectstorage_negative_count.phpt
@@ -0,0 +1,15 @@
+--TEST--
+OSS-Fuzz: Unserializing SplObjectStorage with negative number of elements
+--FILE--
+<?php
+
+$str = 'C:16:"SplObjectStorage":25:{x:i:-9223372036854775808;}';
+try {
+    var_dump(unserialize($str));
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Error at offset 24 of 25 bytes