Fix GH-12265: Cloning an object breaks serialization recursion

nielsdos · nielsdos · commit 0a5576468412 · 2023-09-24T21:22:42.000+02:00
diff --git a/ext/standard/tests/serialize/gh12265.phpt b/ext/standard/tests/serialize/gh12265.phpt
@@ -0,0 +1,47 @@
+--TEST--
+GH-12265 (Cloning an object breaks serialization recursion)
+--FILE--
+<?php
+
+class A {
+    public function __construct(public B $x) {
+    }
+}
+
+class B {
+    public A $a;
+
+    public function __serialize()
+    {
+        return ['a' => new A($this)];
+    }
+}
+
+class C {
+    public B $b;
+
+    public function __construct() {
+        $this->b = new B;
+    }
+}
+
+$b = new B();
+$sb = serialize($b);
+$stb = serialize(new B);
+
+printf("serialized original:    %s\n", $sb);
+printf("serialized temp    :    %s\n", $stb);
+
+$c = new C;
+$sc = serialize($c);
+$stc = serialize(new C);
+
+printf("serialized original:    %s\n", $sc);
+printf("serialized temp    :    %s\n", $stc);
+
+?>
+--EXPECT--
+serialized original:    O:1:"B":1:{s:1:"a";O:1:"A":1:{s:1:"x";r:1;}}
+serialized temp    :    O:1:"B":1:{s:1:"a";O:1:"A":1:{s:1:"x";r:1;}}
+serialized original:    O:1:"C":1:{s:1:"b";O:1:"B":1:{s:1:"a";O:1:"A":1:{s:1:"x";r:2;}}}
+serialized temp    :    O:1:"C":1:{s:1:"b";O:1:"B":1:{s:1:"a";O:1:"A":1:{s:1:"x";r:2;}}}
diff --git a/ext/standard/var.c b/ext/standard/var.c
@@ -671,7 +671,9 @@ static inline zend_long php_add_var_hash(php_serialize_data_t data, zval *var, b
 		return 0;
 	} else if (!in_rcn_array
 	 && Z_REFCOUNT_P(var) == 1
-	 && (Z_OBJ_P(var)->properties == NULL || GC_REFCOUNT(Z_OBJ_P(var)->properties) == 1)) {
+	 && (Z_OBJ_P(var)->properties == NULL || GC_REFCOUNT(Z_OBJ_P(var)->properties) == 1)
+	 /* __serialize may arbitrarily increase the refcount */
+	 && Z_OBJCE_P(var)->__serialize == NULL) {
 		return 0;
 	}
 
