Fix type checks during unserialization

Author: nikic

ext/standard/tests/serialize/typed_property_refs.phpt

@@ -18,33 +18,56 @@ class C {
 	public string $b;
 }
 
+class D {
+    public int $a;
+    public float $b;
+}
+
 var_dump(unserialize('O:1:"A":2:{s:1:"a";i:1;s:1:"b";R:2;}'));
 var_dump(unserialize('O:1:"B":2:{s:1:"a";i:1;s:1:"b";R:2;}'));
-var_dump(unserialize('O:1:"A":2:{s:1:"a";N;s:1:"b";R:2;}'));
-var_dump(unserialize('O:1:"B":2:{s:1:"a";N;s:1:"b";R:2;}'));
-var_dump(unserialize('O:1:"C":2:{s:1:"a";i:1;s:1:"b";R:2;}'));
-var_dump(unserialize('O:1:"C":2:{s:1:"b";s:1:"x";s:1:"a";R:2;}'));
+
+try {
+    var_dump(unserialize('O:1:"A":2:{s:1:"a";N;s:1:"b";R:2;}'));
+} catch (TypeError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    var_dump(unserialize('O:1:"B":2:{s:1:"a";N;s:1:"b";R:2;}'));
+} catch (TypeError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    var_dump(unserialize('O:1:"C":2:{s:1:"a";i:1;s:1:"b";R:2;}'));
+} catch (TypeError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    var_dump(unserialize('O:1:"C":2:{s:1:"b";s:1:"x";s:1:"a";R:2;}'));
+} catch (TypeError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    var_dump(unserialize('O:1:"D":2:{s:1:"a";i:1;s:1:"b";R:2;}'));
+} catch (TypeError $e) {
+    echo $e->getMessage(), "\n";
+}
 
 ?>
---EXPECTF--
+--EXPECT--
 object(A)#1 (2) {
   ["a"]=>
   &int(1)
   ["b"]=>
   &int(1)
 }
-
-Notice: unserialize(): Error at offset 35 of 36 bytes in %s on line %d
-bool(false)
-
-Notice: unserialize(): Error at offset 21 of 34 bytes in %s on line %d
-bool(false)
-
-Notice: unserialize(): Error at offset 33 of 34 bytes in %s on line %d
-bool(false)
-
-Notice: unserialize(): Error at offset 35 of 36 bytes in %s on line %d
-bool(false)
-
-Notice: unserialize(): Error at offset 39 of 40 bytes in %s on line %d
-bool(false)
+object(B)#1 (2) {
+  ["a"]=>
+  &int(1)
+  ["b"]=>
+  &int(1)
+}
+Typed property A::$a must be int, null used
+Typed property B::$b must be int, null used
+Typed property C::$b must be string, int used
+Typed property C::$a must be int, string used
+Reference with value of type int held by property D::$a of type int is not compatible with property D::$b of type float

ext/standard/var_unserializer.re

@@ -404,7 +404,7 @@ static int php_var_unserialize_internal(UNSERIALIZE_PARAMETER, int as_key);
 static zend_always_inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, zend_long elements, zend_class_entry *ce)
 {
 	while (elements-- > 0) {
-		zval key, *data, d, *old_data, tmp;
+		zval key, *data, d, *old_data;
 		zend_ulong idx;
 		zend_property_info *info = NULL;
 
@@ -553,15 +553,15 @@ string_key:
 		}
 
 		if (UNEXPECTED(info)) {
-			// TODO Throw an error instead?
-			// TODO Handle references correctly
-			ZVAL_COPY_VALUE(&tmp, data);
-			if (UNEXPECTED(!zend_verify_property_type(info, &tmp, 1))) {
+			if (!zend_verify_prop_assignable_by_ref(info, data, /* strict */ 1)) {
+				zval_ptr_dtor(data);
+				ZVAL_UNDEF(data);
 				zval_dtor(&key);
 				return 0;
 			}
-			data = &tmp;
-			ZVAL_COPY(old_data, data);
+			if (Z_ISREF_P(data)) {
+				ZEND_REF_ADD_TYPE_SOURCE(Z_REF_P(data), info);
+			}
 		}
 
 		if (BG(unserialize).level > 1) {