More fixes for bug #69152

Author: smalyshev

Zend/zend_exceptions.c

@@ -591,6 +591,9 @@ ZEND_METHOD(exception, getTraceAsString)
 	str = &res;
 
 	trace = zend_read_property(default_exception_ce, getThis(), "trace", sizeof("trace")-1, 1 TSRMLS_CC);
+	if(Z_TYPE_P(trace) != IS_ARRAY) {
+		RETURN_FALSE;
+	}
 	zend_hash_apply_with_arguments(Z_ARRVAL_P(trace) TSRMLS_CC, (apply_func_args_t)_build_trace_string, 3, str, len, &num);
 
 	s_tmp = emalloc(1 + MAX_LENGTH_OF_LONG + 7 + 1);

ext/standard/tests/serialize/bug69152.phpt

@@ -0,0 +1,16 @@
+--TEST--
+Bug #69152: Type Confusion Infoleak Vulnerability in unserialize()
+--FILE--
+<?php
+$x = unserialize('O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"ryat";}');
+echo $x;
+$x =  unserialize('O:4:"test":1:{s:27:"__PHP_Incomplete_Class_Name";R:1;}');
+$x->test();
+
+?>
+--EXPECTF--
+exception 'Exception' in %s:%d
+Stack trace:
+#0 {main}
+
+Fatal error: main(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition "unknown" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide a __autoload() function to load the class definition  in %s on line %d