From b516ad086ab5bf8a93829abf103b750aa2472b57 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 8 Oct 2025 09:31:00 +0200
Subject: [PATCH] Fix Randomizer::__serialize() wrt INDIRECTs

First follow-up to GH-20102.
INDIRECTs must never get exposed to userland. The simple solution is to
duplicate the properties array.
---
 ext/random/randomizer.c                        |  3 +--
 .../methods/__serialize_indirects.phpt         | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 ext/random/tests/03_randomizer/methods/__serialize_indirects.phpt

diff --git a/ext/random/randomizer.c b/ext/random/randomizer.c
index fe9ad5fc35a9c..6254fe27c9c56 100644
--- a/ext/random/randomizer.c
+++ b/ext/random/randomizer.c
@@ -468,8 +468,7 @@ PHP_METHOD(Random_Randomizer, __serialize)
 	ZEND_PARSE_PARAMETERS_NONE();
 
 	array_init(return_value);
-	ZVAL_ARR(&t, zend_std_get_properties(&randomizer->std));
-	Z_TRY_ADDREF(t);
+	ZVAL_ARR(&t, zend_array_dup(zend_std_get_properties(&randomizer->std)));
 	zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &t);
 }
 /* }}} */
diff --git a/ext/random/tests/03_randomizer/methods/__serialize_indirects.phpt b/ext/random/tests/03_randomizer/methods/__serialize_indirects.phpt
new file mode 100644
index 0000000000000..1207e18dd829c
--- /dev/null
+++ b/ext/random/tests/03_randomizer/methods/__serialize_indirects.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Random: Engine: __serialize() must not expose INDIRECTs
+--FILE--
+<?php
+
+$randomizer = new Random\Randomizer(null);
+var_dump($randomizer->__serialize());
+
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  array(1) {
+    ["engine"]=>
+    object(Random\Engine\Secure)#2 (0) {
+    }
+  }
+}