Zend: Implement __unserialize() for Exception/Error

Girgias · Girgias · commit 125c1ff44f8c · 2025-09-13T18:18:00.000+01:00
diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c
@@ -396,6 +396,106 @@ ZEND_METHOD(Exception, __wakeup)
 }
 /* }}} */
 
+ZEND_METHOD(Exception, __unserialize)
+{
+	HashTable *ht;
+
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "h", &ht) == FAILURE) {
+		RETURN_THROWS();
+	}
+
+	zval *tmp = zend_hash_str_find(ht, ZEND_STRL("\0*\0message"));
+	if (tmp) {
+		if (Z_TYPE_P(tmp) != IS_STRING) {
+			zend_type_error("Cannot assign %s to property %s::$message of type string",
+				zend_zval_type_name(tmp), ZSTR_VAL(Z_OBJCE_P(ZEND_THIS)->name));
+			RETURN_THROWS();
+		}
+		zend_update_property_num_checked(NULL, Z_OBJ_P(ZEND_THIS), ZEND_EXCEPTION_MESSAGE_OFF, ZSTR_KNOWN(ZEND_STR_MESSAGE), tmp);
+		zval_add_ref(tmp);
+		if (UNEXPECTED(EG(exception))) {
+			RETURN_THROWS();
+		}
+	}
+
+	tmp = zend_hash_str_find(ht, ZEND_STRL("\0*\0code"));
+	if (tmp) {
+		if (Z_TYPE_P(tmp) != IS_LONG) {
+			zend_type_error("Cannot assign %s to property %s::$code of type int",
+				zend_zval_type_name(tmp), ZSTR_VAL(Z_OBJCE_P(ZEND_THIS)->name));
+			RETURN_THROWS();
+		}
+		zend_update_property_num_checked(NULL, Z_OBJ_P(ZEND_THIS), ZEND_EXCEPTION_CODE_OFF, ZSTR_KNOWN(ZEND_STR_CODE), tmp);
+		if (UNEXPECTED(EG(exception))) {
+			RETURN_THROWS();
+		}
+	}
+
+	tmp = zend_hash_str_find(ht, ZEND_STRL("\0*\0file"));
+	if (tmp) {
+		if (Z_TYPE_P(tmp) != IS_STRING) {
+			zend_type_error("Cannot assign %s to property %s::$file of type string",
+				zend_zval_type_name(tmp), ZSTR_VAL(Z_OBJCE_P(ZEND_THIS)->name));
+			RETURN_THROWS();
+		}
+		zend_update_property_num_checked(NULL, Z_OBJ_P(ZEND_THIS), ZEND_EXCEPTION_FILE_OFF, ZSTR_KNOWN(ZEND_STR_FILE), tmp);
+		zval_add_ref(tmp);
+		if (UNEXPECTED(EG(exception))) {
+			RETURN_THROWS();
+		}
+	}
+
+	tmp = zend_hash_str_find(ht, ZEND_STRL("\0*\0line"));
+	if (tmp) {
+		if (Z_TYPE_P(tmp) != IS_LONG) {
+			zend_type_error("Cannot assign %s to property %s::$line of type int",
+				zend_zval_type_name(tmp), ZSTR_VAL(Z_OBJCE_P(ZEND_THIS)->name));
+			RETURN_THROWS();
+		}
+		zend_update_property_num_checked(NULL, Z_OBJ_P(ZEND_THIS), ZEND_EXCEPTION_LINE_OFF, ZSTR_KNOWN(ZEND_STR_LINE), tmp);
+		if (UNEXPECTED(EG(exception))) {
+			RETURN_THROWS();
+		}
+	}
+
+	if (instanceof_function(Z_OBJCE_P(ZEND_THIS), zend_ce_exception)) {
+		tmp = zend_hash_str_find(ht, ZEND_STRL("\0Exception\0trace"));
+	} else {
+		tmp = zend_hash_str_find(ht, ZEND_STRL("\0Error\0trace"));
+	}
+	if (tmp) {
+		if (Z_TYPE_P(tmp) != IS_ARRAY) {
+			zend_type_error("Cannot assign %s to property %s::$trace of type array",
+				zend_zval_type_name(tmp), ZSTR_VAL(Z_OBJCE_P(ZEND_THIS)->name));
+			RETURN_THROWS();
+		}
+		zend_update_property_num_checked(NULL, Z_OBJ_P(ZEND_THIS), ZEND_EXCEPTION_TRACE_OFF, ZSTR_KNOWN(ZEND_STR_TRACE), tmp);
+		zval_add_ref(tmp);
+		if (UNEXPECTED(EG(exception))) {
+			RETURN_THROWS();
+		}
+	}
+
+	if (instanceof_function(Z_OBJCE_P(ZEND_THIS), zend_ce_exception)) {
+		tmp = zend_hash_str_find(ht, ZEND_STRL("\0Exception\0previous"));
+	} else {
+		tmp = zend_hash_str_find(ht, ZEND_STRL("\0Error\0previous"));
+	}
+	if (tmp) {
+		if (Z_TYPE_P(tmp) != IS_NULL && !instanceof_function(Z_OBJCE_P(tmp), zend_ce_throwable)) {
+			zend_type_error("Cannot assign %s to property %s::$previous of type ?Throwable",
+				zend_zval_type_name(tmp), ZSTR_VAL(Z_OBJCE_P(ZEND_THIS)->name));
+			RETURN_THROWS();
+		}
+		zend_update_property_num_checked(NULL, Z_OBJ_P(ZEND_THIS), ZEND_EXCEPTION_PREVIOUS_OFF, ZSTR_KNOWN(ZEND_STR_PREVIOUS), tmp);
+		zval_add_ref(tmp);
+		if (UNEXPECTED(EG(exception))) {
+			RETURN_THROWS();
+		}
+	}
+}
+/* }}} */
+
 /* {{{ ErrorException constructor */
 ZEND_METHOD(ErrorException, __construct)
 {
diff --git a/Zend/zend_exceptions.stub.php b/Zend/zend_exceptions.stub.php
@@ -47,6 +47,8 @@ public function __construct(string $message = "", int $code = 0, ?Throwable $pre
     /** @tentative-return-type */
     public function __wakeup(): void {}
 
+    public function __unserialize(array $data): void {}
+
     final public function getMessage(): string {}
 
     /** @return int */
@@ -111,6 +113,11 @@ public function __construct(string $message = "", int $code = 0, ?Throwable $pre
      */
     public function __wakeup(): void {}
 
+    /**
+     * @implementation-alias Exception::__unserialize
+     */
+    public function __unserialize(array $data): void {}
+
     /** @implementation-alias Exception::getMessage */
     final public function getMessage(): string {}
 
diff --git a/Zend/zend_exceptions_arginfo.h b/Zend/zend_exceptions_arginfo.h
diff --git a/ext/standard/tests/serialize/bug69152.phpt b/ext/standard/tests/serialize/bug69152.phpt
@@ -2,15 +2,25 @@
 Bug #69152: Type Confusion Infoleak Vulnerability in unserialize()
 --FILE--
 <?php
-$x = unserialize('O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"ryat";}');
-echo $x;
-$x =  unserialize('O:4:"test":1:{s:27:"__PHP_Incomplete_Class_Name";R:1;}');
-$x->test();
+try {
+	$x = unserialize('O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"ryat";}');
+	var_dump($x);
+} catch (Throwable $e) {
+	echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+try {
+	$x = unserialize('O:4:"test":1:{s:27:"__PHP_Incomplete_Class_Name";R:1;}');
+	var_dump($x);
+	$x->test();
+} catch (Throwable $e) {
+	echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
 
 ?>
---EXPECTF--
-Fatal error: Uncaught TypeError: Cannot assign string to property Exception::$trace of type array in %s:%d
-Stack trace:
-#0 %s(%d): unserialize('O:9:"exception"...')
-#1 {main}
-  thrown in %s on line %d
+--EXPECT--
+TypeError: Cannot assign string to property Exception::$trace of type array
+object(__PHP_Incomplete_Class)#1 (1) {
+  ["__PHP_Incomplete_Class_Name"]=>
+  *RECURSION*
+}
+Error: The script tried to call a method on an incomplete object. Please ensure that the class definition "unknown" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide an autoloader to load the class definition
diff --git a/ext/standard/tests/serialize/bug69793.phpt b/ext/standard/tests/serialize/bug69793.phpt
@@ -2,13 +2,13 @@
 Bug #69793: Remotely triggerable stack exhaustion via recursive method calls
 --FILE--
 <?php
-$e = unserialize('O:9:"Exception":7:{s:17:"'."\0".'Exception'."\0".'string";s:1:"a";s:7:"'."\0".'*'."\0".'code";i:0;s:7:"'."\0".'*'."\0".'file";s:0:"";s:7:"'."\0".'*'."\0".'line";i:1337;s:16:"'."\0".'Exception'."\0".'trace";a:0:{}s:19:"'."\0".'Exception'."\0".'previous";i:10;s:10:"'."\0".'*'."\0".'message";N;}');
-
-var_dump($e."");
+try {
+	$e = unserialize('O:9:"Exception":7:{s:17:"'."\0".'Exception'."\0".'string";s:1:"a";s:7:"'."\0".'*'."\0".'code";i:0;s:7:"'."\0".'*'."\0".'file";s:0:"";s:7:"'."\0".'*'."\0".'line";i:1337;s:16:"'."\0".'Exception'."\0".'trace";a:0:{}s:19:"'."\0".'Exception'."\0".'previous";i:10;s:10:"'."\0".'*'."\0".'message";N;}');
+	var_dump($e);
+	var_dump($e."");
+} catch (Throwable $e) {
+	echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
 ?>
---EXPECTF--
-Fatal error: Uncaught TypeError: Cannot assign int to property Exception::$previous of type ?Throwable in %s:%d
-Stack trace:
-#0 %s(%d): unserialize('O:9:"Exception"...')
-#1 {main}
-  thrown in %s on line %d
+--EXPECT--
+TypeError: Cannot assign null to property Exception::$message of type string
diff --git a/ext/standard/tests/serialize/bug70963.phpt b/ext/standard/tests/serialize/bug70963.phpt
@@ -2,12 +2,19 @@
 Bug #70963 (Unserialize shows UNKNOW in result)
 --FILE--
 <?php
-var_dump(unserialize('a:2:{i:0;O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"test";}i:1;R:3;}'));
-var_dump(unserialize('a:2:{i:0;O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"test";}i:1;r:3;}'));
+try {
+	var_dump(unserialize('a:2:{i:0;O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"test";}i:1;R:3;}'));
+} catch (Throwable $e) {
+	echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+try {
+	var_dump(unserialize('a:2:{i:0;O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"test";}i:1;r:3;}'));
+} catch (Throwable $e) {
+	echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
 ?>
 --EXPECTF--
-Fatal error: Uncaught TypeError: Cannot assign string to property Exception::$trace of type array in %s:%d
-Stack trace:
-#0 %s(%d): unserialize('a:2:{i:0;O:9:"e...')
-#1 {main}
-  thrown in %s on line %d
+TypeError: Cannot assign string to property Exception::$trace of type array
+
+Warning: unserialize(): Error at offset 72 of 73 bytes in %s on line %d
+TypeError: Cannot assign string to property Exception::$trace of type array
