Fix shm corruption with coercion in options of unserialize()

Closes phpGH-20129.

Author: ndossche

NEWS

@@ -41,6 +41,9 @@ PHP                                                                        NEWS
   . Partially fixed bug GH-16317 (SimpleXML does not allow __debugInfo() overrides
     to work). (nielsdos)
 
+- Standard:
+  . Fix shm corruption with coercion in options of unserialize(). (nielsdos)
+
 - XMLReader:
   . Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available.
     (nielsdos)

ext/standard/tests/serialize/shm_corruption_coercion_unserialize_options.phpt

@@ -0,0 +1,8 @@
+--TEST--
+Shm corruption with coercion in options of unserialize()
+--FILE--
+<?php
+unserialize("{}", ["allowed_classes" => [0]]);
+?>
+--EXPECTF--
+Warning: unserialize(): Error at offset 0 of 2 bytes in %s on line %d

ext/standard/var.c

@@ -1366,13 +1366,14 @@ PHPAPI void php_unserialize_with_options(zval *return_value, const char *buf, co
 		}
 		if(class_hash && Z_TYPE_P(classes) == IS_ARRAY) {
 			zval *entry;
-			zend_string *lcname;
+			zend_string *lcname, *tmp_str, *str;
 
 			ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(classes), entry) {
-				convert_to_string(entry);
-				lcname = zend_string_tolower(Z_STR_P(entry));
+				str = zval_get_tmp_string(entry, &tmp_str);
+				lcname = zend_string_tolower(str);
 				zend_hash_add_empty_element(class_hash, lcname);
 		        zend_string_release_ex(lcname, 0);
+				zend_tmp_string_release(tmp_str);
 			} ZEND_HASH_FOREACH_END();
 
 			/* Exception during string conversion. */