From 9411205a0eba38eb55891b3c2713f62d329a1231 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
Date: Mon, 8 Sep 2025 20:53:29 +0200
Subject: [PATCH 1/2] zend_API: Do not overwrite `readonly` properties in
 `object_properties_load()`

Fixes php/php-src#19765.
---
 Zend/zend_API.c                               |  8 +++++++
 .../03_randomizer/gh_19765_unserialize.phpt   | 21 +++++++++++++++++++
 .../03_randomizer/gh_9186_unserialize.phpt    |  2 +-
 3 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 ext/random/tests/03_randomizer/gh_19765_unserialize.phpt

diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index 79800a61a0476..ed6b24bc55216 100644
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -1701,6 +1701,14 @@ ZEND_API void object_properties_load(zend_object *object, HashTable *properties)
 				property_info &&
 				(property_info->flags & ZEND_ACC_STATIC) == 0) {
 				zval *slot = OBJ_PROP(object, property_info->offset);
+				if (UNEXPECTED((property_info->flags & ZEND_ACC_READONLY) && !Z_ISUNDEF_P(slot))) {
+					if (Z_PROP_FLAG_P(slot) & IS_PROP_REINITABLE) {
+						Z_PROP_FLAG_P(slot) &= ~IS_PROP_REINITABLE;
+					} else {
+						zend_readonly_property_modification_error(property_info);
+						return;
+					}
+				}
 				zval_ptr_dtor(slot);
 				ZVAL_COPY_VALUE(slot, prop);
 				zval_add_ref(slot);
diff --git a/ext/random/tests/03_randomizer/gh_19765_unserialize.phpt b/ext/random/tests/03_randomizer/gh_19765_unserialize.phpt
new file mode 100644
index 0000000000000..24abfca293fc5
--- /dev/null
+++ b/ext/random/tests/03_randomizer/gh_19765_unserialize.phpt
@@ -0,0 +1,21 @@
+--TEST--
+GH-19765: object_properties_load() bypasses readonly property checks
+--FILE--
+<?php
+
+use Random\Engine\Mt19937;
+use Random\Engine\PcgOneseq128XslRr64;
+use Random\Randomizer;
+
+try {
+    $r = new Randomizer(new Mt19937());
+    $r->__unserialize([['engine' => new PcgOneseq128XslRr64()]]);
+} catch (Exception $error) {
+    echo $error->getMessage() . "\n";
+}
+var_dump($r->engine::class);
+
+?>
+--EXPECT--
+Invalid serialization data for Random\Randomizer object
+string(21) "Random\Engine\Mt19937"
diff --git a/ext/random/tests/03_randomizer/gh_9186_unserialize.phpt b/ext/random/tests/03_randomizer/gh_9186_unserialize.phpt
index fe1acb2f74be4..edadb7380bd1f 100644
--- a/ext/random/tests/03_randomizer/gh_9186_unserialize.phpt
+++ b/ext/random/tests/03_randomizer/gh_9186_unserialize.phpt
@@ -1,5 +1,5 @@
 --TEST--
-Fix GH-9186 @strict-properties can be bypassed using unserialization
+GH-9186: @strict-properties can be bypassed using unserialization
 --FILE--
 <?php
 

From 34a2ae32ef0a9dc6d4606d0696e734ea80a1e4da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
Date: Tue, 9 Sep 2025 18:44:35 +0200
Subject: [PATCH 2/2] NEWS

---
 NEWS | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/NEWS b/NEWS
index b006f93e0c32c..b11f00ad7d162 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-19681 (PHP_EXPAND_PATH broken with bash 5.3.0). (Remi)
   . Fixed bug GH-19720 (Assertion failure when error handler throws when
     accessing a deprecated constant). (nielsdos)
+  . Fixed bug GH-19765 (object_properties_load() bypasses readonly property
+    checks). (timwolla)
 
 - CLI:
   . Fixed bug GH-19461 (Improve error message on listening error with IPv6