Fix GMP unserialization with self-reference

2 files changed, 20 insertions, 1 deletions

diff --git a/ext/gmp/gmp.c b/ext/gmp/gmp.c
index a1e15899c9..b84ede63ff 100644
--- a/ext/gmp/gmp.c
+++ b/ext/gmp/gmp.c
@@ -588,10 +588,15 @@ static int gmp_unserialize(zval *object, zend_class_entry *ce, const unsigned ch
 	zval *zv;
 	int retval = FAILURE;
 	php_unserialize_data_t unserialize_data = (php_unserialize_data_t) data;
+	zval object_copy;
 
 	PHP_VAR_UNSERIALIZE_INIT(unserialize_data);
 	gmp_create(object, &gmpnum);
 
+	/* The "object" variable may be modified during the execution of this unserialize handler
+	 * (it may turn into a reference). Keep the original object around for futher operations. */
+	ZVAL_COPY_VALUE(&object_copy, object);
+
 	p = buf;
 	max = buf + buf_len;
 
@@ -614,7 +619,7 @@ static int gmp_unserialize(zval *object, zend_class_entry *ce, const unsigned ch
 
 	if (zend_hash_num_elements(Z_ARRVAL_P(zv)) != 0) {
 		zend_hash_copy(
-			zend_std_get_properties(object), Z_ARRVAL_P(zv),
+			zend_std_get_properties(&object_copy), Z_ARRVAL_P(zv),
 			(copy_ctor_func_t) zval_add_ref
 		);
 	}
diff --git a/ext/gmp/tests/unserialize_with_reference.phpt b/ext/gmp/tests/unserialize_with_reference.phpt
new file mode 100644
index 0000000000..b733430a38
--- /dev/null
+++ b/ext/gmp/tests/unserialize_with_reference.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Unserialize GMP instance with internal reference to itself
+--FILE--
+<?php
+$s = 'C:3:"GMP":23:{s:1:"2";a:1:{i:46;R:1;}}';
+var_dump(unserialize($s));
+?>
+--EXPECT--
+object(GMP)#1 (2) {
+  [46]=>
+  *RECURSION*
+  ["num"]=>
+  string(1) "2"
+}