Fixed bug #80411

References to null-serializations are stored as null, and as such
are part of the reference count.

Reminds me that we really need to deprecate the mess that is
Serializable.

NEWS

@@ -18,6 +18,8 @@ PHP                                                                        NEWS
 
 - Standard:
   . Fixed bug #80366 (Return Value of zend_fstat() not Checked). (sagpant, cmb)
+  . Fixed bug #80411 (References to null-serialized object break serialize()).
+    (Nikita)
 
 - Tidy:
   . Fixed bug #77594 (ob_tidyhandler is never reset). (cmb)

ext/standard/tests/serialize/bug80411.phpt

@@ -0,0 +1,31 @@
+--TEST--
+Bug #80411: References to null-serialized object break serialize()
+--FILE--
+<?php
+
+class UnSerializable implements Serializable
+{
+  public function serialize() {}
+  public function unserialize($serialized) {}
+}
+
+$unser = new UnSerializable();
+$arr = [$unser];
+$arr[1] = &$arr[0];
+$arr[2] = 'endcap';
+$arr[3] = &$arr[2];
+
+$data = serialize($arr);
+echo $data . PHP_EOL;
+$recovered = unserialize($data);
+var_export($recovered);
+
+?>
+--EXPECT--
+a:4:{i:0;N;i:1;N;i:2;s:6:"endcap";i:3;R:4;}
+array (
+  0 => NULL,
+  1 => NULL,
+  2 => 'endcap',
+  3 => 'endcap',
+)

ext/standard/var.c

@@ -677,7 +677,7 @@ static inline zend_long php_add_var_hash(php_serialize_data_t data, zval *var) /
 
 	if (zv) {
 		/* References are only counted once, undo the data->n increment above */
-		if (is_ref) {
+		if (is_ref && Z_LVAL_P(zv) != -1) {
 			data->n -= 1;
 		}