Fix GH-20101: SplHeap/SplPriorityQueue serialization exposes INDIRECTs

nielsdos · nielsdos · commit 0a84d2372999 · 2025-10-08T09:26:39.000+02:00
Exposing INDIRECTs to userland is not allowed and can lead to all sorts
of wrong behaviour. In this case it lead to UAF bugs.
Solve it by duplicating the properties table, which de-indirects the
elements and also decouples it for future modifications.
diff --git a/ext/spl/spl_heap.c b/ext/spl/spl_heap.c
@@ -1185,8 +1185,7 @@ PHP_METHOD(SplPriorityQueue, __serialize)
 
 	array_init(return_value);
 
-	ZVAL_ARR(&props, zend_std_get_properties(&intern->std));
-	Z_TRY_ADDREF(props);
+	ZVAL_ARR(&props, zend_array_dup(zend_std_get_properties(&intern->std)));
 	zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &props);
 
 	spl_heap_serialize_internal_state(&state, intern, true);
@@ -1239,32 +1238,6 @@ PHP_METHOD(SplPriorityQueue, __unserialize)
 	}
 }
 
-PHP_METHOD(SplHeap, __serialize)
-{
-	spl_heap_object *intern = Z_SPLHEAP_P(ZEND_THIS);
-	zval props, state;
-
-	ZEND_PARSE_PARAMETERS_NONE();
-
-	if (UNEXPECTED(spl_heap_consistency_validations(intern, false) != SUCCESS)) {
-		RETURN_THROWS();
-	}
-
-	if (intern->heap->flags & SPL_HEAP_WRITE_LOCKED) {
-		zend_throw_exception(spl_ce_RuntimeException, "Cannot serialize heap while it is being modified.", 0);
-		RETURN_THROWS();
-	}
-
-	array_init(return_value);
-
-	ZVAL_ARR(&props, zend_std_get_properties(&intern->std));
-	Z_TRY_ADDREF(props);
-	zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &props);
-
-	spl_heap_serialize_internal_state(&state, intern, false);
-	zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &state);
-}
-
 PHP_METHOD(SplHeap, __unserialize)
 {
 	HashTable *data;
diff --git a/ext/spl/spl_heap.stub.php b/ext/spl/spl_heap.stub.php
@@ -134,7 +134,10 @@ public function isCorrupted(): bool {}
     /** @tentative-return-type */
     public function __debugInfo(): array {}
 
-    /** @tentative-return-type */
+    /**
+     * @tentative-return-type
+     * @implementation-alias SplPriorityQueue::__serialize
+     */
     public function __serialize(): array {}
 
     /** @tentative-return-type */
diff --git a/ext/spl/spl_heap_arginfo.h b/ext/spl/spl_heap_arginfo.h
diff --git a/ext/spl/tests/gh20101.phpt b/ext/spl/tests/gh20101.phpt
@@ -0,0 +1,49 @@
+--TEST--
+GH-20101 (SplHeap/SplPriorityQueue serialization exposes INDIRECTs)
+--FILE--
+<?php
+class CustomHeap extends SplMaxHeap {
+    public $field = 0;
+}
+$heap = new CustomHeap();
+$data = $heap->__serialize();
+var_dump($data);
+
+class CustomPriorityQueue extends SplPriorityQueue {
+    public $field = 0;
+}
+$pqueue = new CustomPriorityQueue();
+$data = $pqueue->__serialize();
+var_dump($data);
+?>
+--EXPECT--
+array(2) {
+  [0]=>
+  array(1) {
+    ["field"]=>
+    int(0)
+  }
+  [1]=>
+  array(2) {
+    ["flags"]=>
+    int(0)
+    ["heap_elements"]=>
+    array(0) {
+    }
+  }
+}
+array(2) {
+  [0]=>
+  array(1) {
+    ["field"]=>
+    int(0)
+  }
+  [1]=>
+  array(2) {
+    ["flags"]=>
+    int(1)
+    ["heap_elements"]=>
+    array(0) {
+    }
+  }
+}
