Fix #77298: segfault occurs when add property to unserialized empty ArrayObject

3 files changed, 35 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index e9761f2472..bedf39e93a 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.3.2
 
+- SPL:
+  . Fixed bug #77298 (segfault occurs when add property to unserialized empty
+    ArrayObject). (jhdxr)
+
 03 Jan 2019, PHP 7.3.1
 
 - Core:
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 63345e6e33..9b11782147 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1842,7 +1842,9 @@ SPL_METHOD(Array, unserialize)
 
 		if (Z_TYPE_P(array) == IS_ARRAY) {
 			zval_ptr_dtor(&intern->array);
-			ZVAL_COPY(&intern->array, array);
+			ZVAL_COPY_VALUE(&intern->array, array);
+			ZVAL_NULL(array);
+			SEPARATE_ARRAY(&intern->array);
 		} else {
 			spl_array_set_array(object, intern, array, 0L, 1);
 		}
diff --git a/ext/spl/tests/bug77298.phpt b/ext/spl/tests/bug77298.phpt
new file mode 100644
index 0000000000..46eab670ff
--- /dev/null
+++ b/ext/spl/tests/bug77298.phpt
@@ -0,0 +1,28 @@
+--TEST--

+Bug #77298 (segfault occurs when add property to unserialized ArrayObject)

+--FILE--

+<?php

+$o = new ArrayObject();

+$o2 = unserialize(serialize($o));

+$o2[1]=123;

+var_dump($o2);

+

+$o3 = new ArrayObject();

+$o3->unserialize($o->serialize());

+$o3['xm']=456;

+var_dump($o3);

+--EXPECT--

+object(ArrayObject)#2 (1) {

+  ["storage":"ArrayObject":private]=>

+  array(1) {

+    [1]=>

+    int(123)

+  }

+}

+object(ArrayObject)#3 (1) {

+  ["storage":"ArrayObject":private]=>

+  array(1) {

+    ["xm"]=>

+    int(456)

+  }

+}
\ No newline at end of file