serialize: Fixed handling of nested object references

Martin Hoch · Martin Hoch · commit b2b7519b6e6e · 2023-05-23T18:27:03.000+02:00
The removed if in var.c caused serialize to not handle object references correctly under certain circumstances. See tests/serialize/serialization_objects_019.phpt The bug was originally introduced in commit 6c5942f, and the problematic line was last modified in commit bb0b4eb. (Fixes oss-fuzz #44954) The testcase from bb0b4eb still passes.
diff --git a/ext/standard/tests/serialize/serialization_objects_019.phpt b/ext/standard/tests/serialize/serialization_objects_019.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Object serialization with references
+--FILE--
+<?php
+function gen() {
+    $s = new stdClass;
+    $r = new stdClass;
+    $r->a = [$s];
+    $r->b = $r->a;
+    return $r;
+}
+var_dump(serialize(gen()));
+?>
+--EXPECTF--
+string(78) "O:8:"stdClass":2:{s:1:"a";a:1:{i:0;O:8:"stdClass":0:{}}s:1:"b";a:1:{i:0;r:3;}}"
+
+
diff --git a/ext/standard/var.c b/ext/standard/var.c
@@ -666,8 +666,6 @@ static inline zend_long php_add_var_hash(php_serialize_data_t data, zval *var) /
 		/* pass */
 	} else if (Z_TYPE_P(var) != IS_OBJECT) {
 		return 0;
-	} else if (Z_REFCOUNT_P(var) == 1 && (Z_OBJ_P(var)->properties == NULL || GC_REFCOUNT(Z_OBJ_P(var)->properties) == 1)) {
-		return 0;
 	}
 
 	/* References to objects are treated as if the reference didn't exist */

Original file line number	Diff line number	Diff line change
`@@ -666,8 +666,6 @@ static inline zend_long php_add_var_hash(php_serialize_data_t data, zval *var) /`
`666`	`666`	`/* pass */`
`667`	`667`	`} else if (Z_TYPE_P(var) != IS_OBJECT) {`
`668`	`668`	`return 0;`
`669`		`- } else if (Z_REFCOUNT_P(var) == 1 && (Z_OBJ_P(var)->properties == NULL \|\| GC_REFCOUNT(Z_OBJ_P(var)->properties) == 1)) {`
`670`		`- return 0;`
`671`	`669`	`}`
`672`	`670`
`673`	`671`	`/* References to objects are treated as if the reference didn't exist */`