Use GC stack in nested data removal

We should be doing this anyway to prevent stack overflow, but on
master this is important for an additional reason: The temporary
GC buffer provided for get_gc handlers may get reused if the scan
is performed recursively instead of indirected via the GC stack.

This fixes oss-fuzz #23350.

1 files changed, 44 insertions, 0 deletions

diff --git a/Zend/tests/gc_043.phpt b/Zend/tests/gc_043.phpt
new file mode 100644
index 0000000000..06b64de39a
--- /dev/null
+++ b/Zend/tests/gc_043.phpt
@@ -0,0 +1,44 @@
+--TEST--
+GC buffer shouldn't get reused when removing nested data
+--FILE--
+<?php
+$s = <<<'STR'
+O:8:"stdClass":2:{i:5;C:8:"SplStack":29:{i:4;:r:1;:O:8:"stdClass":0:{}}i:0;O:13:"RegexIterator":1:{i:5;C:8:"SplStack":29:{i:4;:r:1;:O:8:"stdClass":0:{}}}}
+STR;
+var_dump(unserialize($s));
+gc_collect_cycles();
+?>
+--EXPECT--
+object(stdClass)#1 (2) {
+  ["5"]=>
+  object(SplStack)#2 (2) {
+    ["flags":"SplDoublyLinkedList":private]=>
+    int(4)
+    ["dllist":"SplDoublyLinkedList":private]=>
+    array(2) {
+      [0]=>
+      *RECURSION*
+      [1]=>
+      object(stdClass)#3 (0) {
+      }
+    }
+  }
+  ["0"]=>
+  object(RegexIterator)#4 (2) {
+    ["replacement"]=>
+    NULL
+    ["5"]=>
+    object(SplStack)#5 (2) {
+      ["flags":"SplDoublyLinkedList":private]=>
+      int(4)
+      ["dllist":"SplDoublyLinkedList":private]=>
+      array(2) {
+        [0]=>
+        *RECURSION*
+        [1]=>
+        object(stdClass)#6 (0) {
+        }
+      }
+    }
+  }
+}