Merge branch 'PHP-8.4'

iluuu1994 · iluuu1994 · commit 5b05d429f2dd · 2025-07-22T15:44:24.000+02:00
* PHP-8.4:
  Leak in failed unserialize() with opcache
diff --git a/ext/standard/tests/serialize/oss_fuzz_433303828.phpt b/ext/standard/tests/serialize/oss_fuzz_433303828.phpt
@@ -0,0 +1,13 @@
+--TEST--
+OSS-Fuzz #433303828
+--FILE--
+<?php
+
+unserialize('O:2:"yy": ');
+unserialize('O:2:"yy":: ');
+
+?>
+--EXPECTF--
+Warning: unserialize(): Error at offset 9 of 10 bytes in %s on line %d
+
+Warning: unserialize(): Error at offset 10 of 11 bytes in %s on line %d
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
@@ -1312,10 +1312,12 @@ object ":" uiv ":" ["]	{
 	YYCURSOR = *p;
 
 	if (*(YYCURSOR) != ':') {
+		zend_string_release_ex(class_name, 0);
 		return 0;
 	}
 	if (*(YYCURSOR+1) != '{') {
 		*p = YYCURSOR+1;
+		zend_string_release_ex(class_name, 0);
 		return 0;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -1312,10 +1312,12 @@ object ":" uiv ":" ["] {`
`1312`	`1312`	`YYCURSOR = *p;`
`1313`	`1313`
`1314`	`1314`	`if (*(YYCURSOR) != ':') {`
	`1315`	`+ zend_string_release_ex(class_name, 0);`
`1315`	`1316`	`return 0;`
`1316`	`1317`	`}`
`1317`	`1318`	`if (*(YYCURSOR+1) != '{') {`
`1318`	`1319`	`*p = YYCURSOR+1;`
	`1320`	`+ zend_string_release_ex(class_name, 0);`
`1319`	`1321`	`return 0;`
`1320`	`1322`	`}`
`1321`	`1323`