From 144d2ee29a38abf59d1e2533f76079bf61af70f5 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Fri, 25 Oct 2024 19:45:13 +0200
Subject: [PATCH] Fix GH-16588: UAF in Observer->serialize

Closes GH-16600.
---
 NEWS                       |  1 +
 ext/spl/spl_observer.c     |  9 ++++++++-
 ext/spl/tests/gh16588.phpt | 22 ++++++++++++++++++++++
 3 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 ext/spl/tests/gh16588.phpt

diff --git a/NEWS b/NEWS
index 7ebe4c3e1ad..65a257c2b78 100644
--- a/NEWS
+++ b/NEWS
@@ -102,6 +102,7 @@ PHP                                                                        NEWS
     (ilutov)
   . Fixed bug GH-16479 (Use-after-free in SplObjectStorage::setInfo()). (ilutov)
   . Fixed bug GH-16478 (Use-after-free in SplFixedArray::unset()). (ilutov)
+  . Fixed bug GH-16588 (UAF in Observer->serialize). (nielsdos)
 
 - Standard:
   . Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index cc2956ccc27..d3b58f0d762 100644
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -797,11 +797,18 @@ PHP_METHOD(SplObjectStorage, serialize)
 			RETURN_NULL();
 		}
 		ZVAL_OBJ(&obj, element->obj);
+
+		/* Protect against modification; we need a full copy because the data may be refcounted. */
+		zval inf_copy;
+		ZVAL_COPY(&inf_copy, &element->inf);
+
 		php_var_serialize(&buf, &obj, &var_hash);
 		smart_str_appendc(&buf, ',');
-		php_var_serialize(&buf, &element->inf, &var_hash);
+		php_var_serialize(&buf, &inf_copy, &var_hash);
 		smart_str_appendc(&buf, ';');
 		zend_hash_move_forward_ex(&intern->storage, &pos);
+
+		zval_ptr_dtor(&inf_copy);
 	}
 
 	/* members */
diff --git a/ext/spl/tests/gh16588.phpt b/ext/spl/tests/gh16588.phpt
new file mode 100644
index 00000000000..6cf668716ac
--- /dev/null
+++ b/ext/spl/tests/gh16588.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GH-16588 (UAF in Observer->serialize)
+--CREDITS--
+chibinz
+--FILE--
+<?php
+
+class C {
+    function __serialize(): array {
+        global $store;
+        $store->removeAll($store);
+        return [];
+    }
+}
+
+$store = new SplObjectStorage;
+$store[new C] = new stdClass;
+var_dump($store->serialize());
+
+?>
+--EXPECT--
+string(47) "x:i:1;O:1:"C":0:{},O:8:"stdClass":0:{};m:a:0:{}"