Patch for 73029

## 73029.diff
commit 6d16288150be33392a3249e417a0929881feb9a2
Author: Stanislav Malyshev <stas@php.net>
Date:   Sun Sep 11 20:24:13 2016 -0700

    Fix bug #73029 - Missing type check when unserializing SplArray

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 42a8e7a..700d609 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -308,7 +308,7 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object,
 	long index;
 	HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);

-	if (!offset) {
+	if (!offset || !ht) {
 		return &EG(uninitialized_zval_ptr);
 	}

@@ -1810,7 +1810,9 @@ SPL_METHOD(Array, unserialize)
 		intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK;
 		zval_ptr_dtor(&intern->array);
 		ALLOC_INIT_ZVAL(intern->array);
-		if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+		if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)
+				|| (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) {
+			zval_ptr_dtor(&intern->array);
 			goto outexcept;
 		}
 		var_push_dtor(&var_hash, &intern->array);
diff --git a/ext/spl/tests/bug73029.phpt b/ext/spl/tests/bug73029.phpt
new file mode 100644
index 0000000..a379f80
--- /dev/null
+++ b/ext/spl/tests/bug73029.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #73029: Missing type check when unserializing SplArray
+--FILE--
+<?php
+try {
+$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}';
+$m = unserialize($a);
+$x = $m[2];
+} catch(UnexpectedValueException $e) {
+	print $e->getMessage() . "\n";
+}
+?>
+DONE
+--EXPECTF--
+Error at offset 10 of 19 bytes
+DONE
	commit 6d16288150be33392a3249e417a0929881feb9a2
	Author: Stanislav Malyshev <stas@php.net>
	Date: Sun Sep 11 20:24:13 2016 -0700

	Fix bug #73029 - Missing type check when unserializing SplArray

	diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
	index 42a8e7a..700d609 100644
	--- a/ext/spl/spl_array.c
	+++ b/ext/spl/spl_array.c
	@@ -308,7 +308,7 @@ static zval *spl_array_get_dimension_ptr_ptr(int check_inherited, zval object,
	long index;
	HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);

	- if (!offset) {
	+ if (!offset \|\| !ht) {
	return &EG(uninitialized_zval_ptr);
	}

	@@ -1810,7 +1810,9 @@ SPL_METHOD(Array, unserialize)
	intern->ar_flags \|= flags & SPL_ARRAY_CLONE_MASK;
	zval_ptr_dtor(&intern->array);
	ALLOC_INIT_ZVAL(intern->array);
	- if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
	+ if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)
	+ \|\| (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) {
	+ zval_ptr_dtor(&intern->array);
	goto outexcept;
	}
	var_push_dtor(&var_hash, &intern->array);
	diff --git a/ext/spl/tests/bug73029.phpt b/ext/spl/tests/bug73029.phpt
	new file mode 100644
	index 0000000..a379f80
	--- /dev/null
	+++ b/ext/spl/tests/bug73029.phpt
	@@ -0,0 +1,16 @@
	+--TEST--
	+Bug #73029: Missing type check when unserializing SplArray
	+--FILE--
	+<?php
	+try {
	+$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}';
	+$m = unserialize($a);
	+$x = $m[2];
	+} catch(UnexpectedValueException $e) {
	+ print $e->getMessage() . "\n";
	+}
	+?>
	+DONE
	+--EXPECTF--
	+Error at offset 10 of 19 bytes
	+DONE