smalyshev/70068.diff Secret

## 70068.diff
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index ec9ce21..a37eced 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1774,13 +1774,11 @@ SPL_METHOD(Array, unserialize)

 	ALLOC_INIT_ZVAL(pflags);
 	if (!php_var_unserialize(&pflags, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pflags) != IS_LONG) {
-		zval_ptr_dtor(&pflags);
 		goto outexcept;
 	}

 	--p; /* for ';' */
 	flags = Z_LVAL_P(pflags);
-	zval_ptr_dtor(&pflags);
 	/* flags needs to be verified and we also need to verify whether the next
 	 * thing we get is ';'. After that we require an 'm' or somethign else
 	 * where 'm' stands for members and anything else should be an array. If
@@ -1830,10 +1828,16 @@ SPL_METHOD(Array, unserialize)
 	/* done reading $serialized */

 	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+	if (pflags) {
+		zval_ptr_dtor(&pflags);
+	}
 	return;

 outexcept:
 	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+	if (pflags) {
+		zval_ptr_dtor(&pflags);
+	}
 	zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len);
 	return;

diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt
new file mode 100644
index 0000000..92a38df
--- /dev/null
+++ b/ext/spl/tests/bug70068.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
+--FILE--
+<?php
+$a = unserialize('a:3:{i:0;C:11:"ArrayObject":20:{x:i:0;r:3;;m:a:0:{};}i:1;d:11;i:2;S:31:"AAAAAAAABBBBCCCC\01\00\00\00\04\00\00\00\00\00\00\00\00\00\00";}');
+?>
+OK
+--EXPECT--
+OK
\ No newline at end of file
	diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
	index ec9ce21..a37eced 100644
	--- a/ext/spl/spl_array.c
	+++ b/ext/spl/spl_array.c
	@@ -1774,13 +1774,11 @@ SPL_METHOD(Array, unserialize)

	ALLOC_INIT_ZVAL(pflags);
	if (!php_var_unserialize(&pflags, &p, s + buf_len, &var_hash TSRMLS_CC) \|\| Z_TYPE_P(pflags) != IS_LONG) {
	- zval_ptr_dtor(&pflags);
	goto outexcept;
	}

	--p; /* for ';' */
	flags = Z_LVAL_P(pflags);
	- zval_ptr_dtor(&pflags);
	/* flags needs to be verified and we also need to verify whether the next
	* thing we get is ';'. After that we require an 'm' or somethign else
	* where 'm' stands for members and anything else should be an array. If
	@@ -1830,10 +1828,16 @@ SPL_METHOD(Array, unserialize)
	/* done reading $serialized */

	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
	+ if (pflags) {
	+ zval_ptr_dtor(&pflags);
	+ }
	return;

	outexcept:
	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
	+ if (pflags) {
	+ zval_ptr_dtor(&pflags);
	+ }
	zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len);
	return;

	diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt
	new file mode 100644
	index 0000000..92a38df
	--- /dev/null
	+++ b/ext/spl/tests/bug70068.phpt
	@@ -0,0 +1,9 @@
	+--TEST--
	+Bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
	+--FILE--
	+<?php
	+$a = unserialize('a:3:{i:0;C:11:"ArrayObject":20:{x:i:0;r:3;;m:a:0:{};}i:1;d:11;i:2;S:31:"AAAAAAAABBBBCCCC\01\00\00\00\04\00\00\00\00\00\00\00\00\00\00";}');
	+?>
	+OK
	+--EXPECT--
	+OK
	\ No newline at end of file