From 0d3da6ac25c78f4e516a47eb8c49443515b72b25 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 16 Sep 2019 13:52:52 +0200
Subject: [PATCH] Fix segfault when unserializing abstract class

---
 .../serialize/unserialize_abstract_class.phpt     | 15 +++++++++++++++
 ext/standard/var_unserializer.re                  |  6 +++++-
 2 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 ext/standard/tests/serialize/unserialize_abstract_class.phpt

diff --git a/ext/standard/tests/serialize/unserialize_abstract_class.phpt b/ext/standard/tests/serialize/unserialize_abstract_class.phpt
new file mode 100644
index 00000000000..e835e504669
--- /dev/null
+++ b/ext/standard/tests/serialize/unserialize_abstract_class.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Unserializing an abstract class should fail
+--FILE--
+<?php
+
+$payload = 'O:23:"RecursiveFilterIterator":0:{}';
+try {
+    var_dump(unserialize($payload));
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Cannot instantiate abstract class RecursiveFilterIterator
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index ba425e692ec..fcc68dc4312 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -1144,7 +1144,11 @@ object ":" uiv ":" ["]	{
 		return 0;
 	}
 
-	object_init_ex(rval, ce);
+	if (object_init_ex(rval, ce) == FAILURE) {
+		zend_string_release_ex(class_name, 0);
+		return 0;
+	}
+
 	if (incomplete_class) {
 		php_store_class_name(rval, ZSTR_VAL(class_name), len2);
 	}