From 44af9adf79b6947a409faa465bcd96860d56fd40 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 8 Oct 2025 17:32:30 +0200
Subject: [PATCH 1/6] Drop LIBXML_HTML_ENABLED checks (#20083)

It is possible to build libxml without HTML support, which would mean
that PHP does not support the saveHtml() features and HTML parsing in
general. It also adds some maintenance complexity. I'm not aware of any
distro that does this and it shows: this has been broken since stubs
have been introduced. So we can just drop it as clearly no one cares
about this or we would've known about it already. It also simplifies
downstream code because they can now rely on the HTML functionality to
always be available.
---
 ext/dom/document.c        |  4 ----
 ext/dom/php_dom.c         | 12 ------------
 ext/dom/php_dom.h         |  2 --
 ext/dom/php_dom.stub.php  |  2 --
 ext/dom/php_dom_arginfo.h | 18 +++---------------
 5 files changed, 3 insertions(+), 35 deletions(-)

diff --git a/ext/dom/document.c b/ext/dom/document.c
index 6db729535d30a..c56ec257cec31 100644
--- a/ext/dom/document.c
+++ b/ext/dom/document.c
@@ -2040,8 +2040,6 @@ PHP_METHOD(DOMDocument, relaxNGValidateSource)
 
 #endif
 
-#ifdef LIBXML_HTML_ENABLED
-
 static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
 {
 	char *source;
@@ -2234,8 +2232,6 @@ PHP_METHOD(DOMDocument, saveHTML)
 }
 /* }}} end dom_document_save_html */
 
-#endif  /* defined(LIBXML_HTML_ENABLED) */
-
 /* {{{ Register extended class used to create base node type */
 static void dom_document_register_node_class(INTERNAL_FUNCTION_PARAMETERS, bool modern)
 {
diff --git a/ext/dom/php_dom.c b/ext/dom/php_dom.c
index 095d07e875ea9..d360163ab5e5f 100644
--- a/ext/dom/php_dom.c
+++ b/ext/dom/php_dom.c
@@ -1369,9 +1369,7 @@ PHP_MINFO_FUNCTION(dom)
 	php_info_print_table_row(2, "DOM/XML", "enabled");
 	php_info_print_table_row(2, "DOM/XML API Version", DOM_API_VERSION);
 	php_info_print_table_row(2, "libxml Version", LIBXML_DOTTED_VERSION);
-#ifdef LIBXML_HTML_ENABLED
 	php_info_print_table_row(2, "HTML Support", "enabled");
-#endif
 #ifdef LIBXML_XPATH_ENABLED
 	php_info_print_table_row(2, "XPath Support", "enabled");
 #endif
@@ -2709,20 +2707,10 @@ xmlChar *php_dom_libxml_fix_file_path(xmlChar *path)
 
 xmlDocPtr php_dom_create_html_doc(void)
 {
-#ifdef LIBXML_HTML_ENABLED
 	xmlDocPtr lxml_doc = htmlNewDocNoDtD(NULL, NULL);
 	if (EXPECTED(lxml_doc)) {
 		lxml_doc->dict = xmlDictCreate();
 	}
-#else
-	/* If HTML support is not enabled, then htmlNewDocNoDtD() is not available.
-	 * This code mimics the behaviour. */
-	xmlDocPtr lxml_doc = xmlNewDoc((const xmlChar *) "1.0");
-	if (EXPECTED(lxml_doc)) {
-		lxml_doc->type = XML_HTML_DOCUMENT_NODE;
-		lxml_doc->dict = xmlDictCreate();
-	}
-#endif
 	return lxml_doc;
 }
 
diff --git a/ext/dom/php_dom.h b/ext/dom/php_dom.h
index 34cc4af85c568..e44f74eadeb37 100644
--- a/ext/dom/php_dom.h
+++ b/ext/dom/php_dom.h
@@ -34,10 +34,8 @@ extern zend_module_entry dom_module_entry;
 #include <libxml/xinclude.h>
 #include <libxml/hash.h>
 #include <libxml/c14n.h>
-#ifdef LIBXML_HTML_ENABLED
 #include <libxml/HTMLparser.h>
 #include <libxml/HTMLtree.h>
-#endif
 #ifdef LIBXML_XPATH_ENABLED
 #include <libxml/xpath.h>
 #include <libxml/xpathInternals.h>
diff --git a/ext/dom/php_dom.stub.php b/ext/dom/php_dom.stub.php
index 7236e80b4d247..37a1bea62b627 100644
--- a/ext/dom/php_dom.stub.php
+++ b/ext/dom/php_dom.stub.php
@@ -1013,7 +1013,6 @@ public function registerNodeClass(string $baseClass, ?string $extendedClass): tr
         /** @tentative-return-type */
         public function save(string $filename, int $options = 0): int|false {}
 
-#ifdef LIBXML_HTML_ENABLED
         /** @tentative-return-type */
         public function loadHTML(string $source, int $options = 0): bool {}
 
@@ -1025,7 +1024,6 @@ public function saveHTML(?DOMNode $node = null): string|false {}
 
         /** @tentative-return-type */
         public function saveHTMLFile(string $filename): int|false {}
-#endif
 
         /** @tentative-return-type */
         public function saveXML(?DOMNode $node = null, int $options = 0): string|false {}
diff --git a/ext/dom/php_dom_arginfo.h b/ext/dom/php_dom_arginfo.h
index 9b2e467d1c6a9..1f3f9fd0a8a24 100644
--- a/ext/dom/php_dom_arginfo.h
+++ b/ext/dom/php_dom_arginfo.h
@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: 757889c0ca89cc8e9905ba465e0621fe89b6e716 */
+ * Stub hash: e3495cb89e4466d9102abb10bf6461989b7c8ba9 */
 
 ZEND_BEGIN_ARG_WITH_RETURN_OBJ_TYPE_MASK_EX(arginfo_dom_import_simplexml, 0, 1, DOMAttr|DOMElement, 0)
 	ZEND_ARG_TYPE_INFO(0, node, IS_OBJECT, 0)
@@ -404,16 +404,9 @@ ZEND_BEGIN_ARG_WITH_TENTATIVE_RETURN_TYPE_MASK_EX(arginfo_class_DOMDocument_save
 	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, options, IS_LONG, 0, "0")
 ZEND_END_ARG_INFO()
 
-#if defined(LIBXML_HTML_ENABLED)
-ZEND_BEGIN_ARG_WITH_TENTATIVE_RETURN_TYPE_INFO_EX(arginfo_class_DOMDocument_loadHTML, 0, 1, _IS_BOOL, 0)
-	ZEND_ARG_TYPE_INFO(0, source, IS_STRING, 0)
-	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, options, IS_LONG, 0, "0")
-ZEND_END_ARG_INFO()
+#define arginfo_class_DOMDocument_loadHTML arginfo_class_DOMDocument_loadXML
 
-ZEND_BEGIN_ARG_WITH_TENTATIVE_RETURN_TYPE_INFO_EX(arginfo_class_DOMDocument_loadHTMLFile, 0, 1, _IS_BOOL, 0)
-	ZEND_ARG_TYPE_INFO(0, filename, IS_STRING, 0)
-	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, options, IS_LONG, 0, "0")
-ZEND_END_ARG_INFO()
+#define arginfo_class_DOMDocument_loadHTMLFile arginfo_class_DOMDocument_load
 
 ZEND_BEGIN_ARG_WITH_TENTATIVE_RETURN_TYPE_MASK_EX(arginfo_class_DOMDocument_saveHTML, 0, 0, MAY_BE_STRING|MAY_BE_FALSE)
 	ZEND_ARG_OBJ_INFO_WITH_DEFAULT_VALUE(0, node, DOMNode, 1, "null")
@@ -422,7 +415,6 @@ ZEND_END_ARG_INFO()
 ZEND_BEGIN_ARG_WITH_TENTATIVE_RETURN_TYPE_MASK_EX(arginfo_class_DOMDocument_saveHTMLFile, 0, 1, MAY_BE_LONG|MAY_BE_FALSE)
 	ZEND_ARG_TYPE_INFO(0, filename, IS_STRING, 0)
 ZEND_END_ARG_INFO()
-#endif
 
 ZEND_BEGIN_ARG_WITH_TENTATIVE_RETURN_TYPE_MASK_EX(arginfo_class_DOMDocument_saveXML, 0, 0, MAY_BE_STRING|MAY_BE_FALSE)
 	ZEND_ARG_OBJ_INFO_WITH_DEFAULT_VALUE(0, node, DOMNode, 1, "null")
@@ -1228,12 +1220,10 @@ ZEND_METHOD(DOMDocument, loadXML);
 ZEND_METHOD(DOMDocument, normalizeDocument);
 ZEND_METHOD(DOMDocument, registerNodeClass);
 ZEND_METHOD(DOMDocument, save);
-#if defined(LIBXML_HTML_ENABLED)
 ZEND_METHOD(DOMDocument, loadHTML);
 ZEND_METHOD(DOMDocument, loadHTMLFile);
 ZEND_METHOD(DOMDocument, saveHTML);
 ZEND_METHOD(DOMDocument, saveHTMLFile);
-#endif
 ZEND_METHOD(DOMDocument, saveXML);
 #if defined(LIBXML_SCHEMAS_ENABLED)
 ZEND_METHOD(DOMDocument, schemaValidate);
@@ -1496,12 +1486,10 @@ static const zend_function_entry class_DOMDocument_methods[] = {
 	ZEND_ME(DOMDocument, normalizeDocument, arginfo_class_DOMDocument_normalizeDocument, ZEND_ACC_PUBLIC)
 	ZEND_ME(DOMDocument, registerNodeClass, arginfo_class_DOMDocument_registerNodeClass, ZEND_ACC_PUBLIC)
 	ZEND_ME(DOMDocument, save, arginfo_class_DOMDocument_save, ZEND_ACC_PUBLIC)
-#if defined(LIBXML_HTML_ENABLED)
 	ZEND_ME(DOMDocument, loadHTML, arginfo_class_DOMDocument_loadHTML, ZEND_ACC_PUBLIC)
 	ZEND_ME(DOMDocument, loadHTMLFile, arginfo_class_DOMDocument_loadHTMLFile, ZEND_ACC_PUBLIC)
 	ZEND_ME(DOMDocument, saveHTML, arginfo_class_DOMDocument_saveHTML, ZEND_ACC_PUBLIC)
 	ZEND_ME(DOMDocument, saveHTMLFile, arginfo_class_DOMDocument_saveHTMLFile, ZEND_ACC_PUBLIC)
-#endif
 	ZEND_ME(DOMDocument, saveXML, arginfo_class_DOMDocument_saveXML, ZEND_ACC_PUBLIC)
 #if defined(LIBXML_SCHEMAS_ENABLED)
 	ZEND_ME(DOMDocument, schemaValidate, arginfo_class_DOMDocument_schemaValidate, ZEND_ACC_PUBLIC)

From 27035eb01e2d7fb44522240739b644975006dbc6 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Tue, 7 Oct 2025 21:16:22 +0200
Subject: [PATCH 2/6] Fix GH-20085: Assertion failure when combining lazy
 object get_properties exception with foreach loop

In this test, we will loop once, and then replace the object with an
instance that'll throw on property construction in Z_OBJPROP_P() in
the ZEND_FE_FETCH_RW VM handler.
Since at that point `pos >= fe_ht->nNumUsed`, we exit via
`fe_fetch_w_exit` without checking for an exception, causing incorrect
continuation of the code and an eventual assertion failure.

To solve this, we perform an exception check at the end of the
iteration. This should be sufficient to guarantee the exception is
checked in time as failure of get_properties() via Z_OBJPROP_P() will
always result in an empty hash table.
This should also be more efficient than the alternative fix that checks
for an exception right after Z_OBJPROP_P() as that would be executed at
each iteration.

Closes GH-20098.
---
 NEWS                                 |  2 ++
 Zend/tests/lazy_objects/gh20085.phpt | 25 +++++++++++++++++++++++++
 Zend/zend_vm_def.h                   |  3 ++-
 Zend/zend_vm_execute.h               |  3 ++-
 4 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 Zend/tests/lazy_objects/gh20085.phpt

diff --git a/NEWS b/NEWS
index cea3e9b1db1db..6d3f3b7d82d7c 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-19934 (CGI with auto_globals_jit=0 causes uouv). (ilutov)
   . Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on
     reference). (nielsdos)
+  . Fixed bug GH-20085 (Assertion failure when combining lazy object
+    get_properties exception with foreach loop). (nielsdos)
 
 09 Oct 2025, PHP 8.4.14
 
diff --git a/Zend/tests/lazy_objects/gh20085.phpt b/Zend/tests/lazy_objects/gh20085.phpt
new file mode 100644
index 0000000000000..5624f71ea8b47
--- /dev/null
+++ b/Zend/tests/lazy_objects/gh20085.phpt
@@ -0,0 +1,25 @@
+--TEST--
+GH-20085 (Assertion failure when combining lazy object get_properties exception with foreach loop)
+--FILE--
+<?php
+class C {
+    public int $a;
+    public function __construct() {
+        $this->a = 1;
+    }
+}
+$obj = new C;
+$reflector = new ReflectionClass(C::class);
+foreach ($obj as &$value) {
+    $obj = $reflector->newLazyGhost(function ($obj) {
+        throw new Error;
+    });
+}
+echo !obj;
+?>
+--EXPECTF--
+Fatal error: Uncaught Error in %s:%d
+Stack trace:
+#0 %s(%d): {closure:%s:%d}(Object(C))
+#1 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index c40dd4cc8edf4..039d9679848ee 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -7275,7 +7275,7 @@ ZEND_VM_HANDLER(126, ZEND_FE_FETCH_RW, VAR, ANY, JMP_ADDR)
 			while (1) {
 				if (UNEXPECTED(pos >= fe_ht->nNumUsed)) {
 					/* reached end of iteration */
-					ZEND_VM_C_GOTO(fe_fetch_w_exit);
+					ZEND_VM_C_GOTO(fe_fetch_w_exit_exc);
 				}
 				pos++;
 				value = &p->val;
@@ -7371,6 +7371,7 @@ ZEND_VM_HANDLER(126, ZEND_FE_FETCH_RW, VAR, ANY, JMP_ADDR)
 		}
 	} else {
 		zend_error(E_WARNING, "foreach() argument must be of type array|object, %s given", zend_zval_value_name(array));
+ZEND_VM_C_LABEL(fe_fetch_w_exit_exc):
 		if (UNEXPECTED(EG(exception))) {
 			UNDEF_RESULT();
 			HANDLE_EXCEPTION();
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index a9f33224d82a9..d6ee850839aec 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -23173,7 +23173,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_FE_FETCH_RW_SPEC_VAR_HANDLER(Z
 			while (1) {
 				if (UNEXPECTED(pos >= fe_ht->nNumUsed)) {
 					/* reached end of iteration */
-					goto fe_fetch_w_exit;
+					goto fe_fetch_w_exit_exc;
 				}
 				pos++;
 				value = &p->val;
@@ -23269,6 +23269,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_FE_FETCH_RW_SPEC_VAR_HANDLER(Z
 		}
 	} else {
 		zend_error(E_WARNING, "foreach() argument must be of type array|object, %s given", zend_zval_value_name(array));
+fe_fetch_w_exit_exc:
 		if (UNEXPECTED(EG(exception))) {
 			UNDEF_RESULT();
 			HANDLE_EXCEPTION();

From aaed3ccb4791ea51fe36cb621ddce31c1716f0b9 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 8 Oct 2025 17:37:24 +0200
Subject: [PATCH 3/6] Allow by-ref assign to WeakMap even if object is not yet
 in the map (#20097)

Previously this failed as the read_dimension which is invoked by
ref-assign does not contain the logic to add the key, so it was required
to first write the value using a normal assignment and then thereafter
use the reference assignment.
This solves it by adding the necessary logic to assign references
directly.
---
 NEWS                                          |  2 ++
 UPGRADING                                     |  4 ++++
 .../weakmap_by_ref_dimension_assign.phpt      | 13 +++++++++++
 Zend/zend_weakrefs.c                          | 23 ++++++++++++-------
 4 files changed, 34 insertions(+), 8 deletions(-)
 create mode 100644 Zend/tests/weakrefs/weakmap_by_ref_dimension_assign.phpt

diff --git a/NEWS b/NEWS
index 1634189bde10f..38d3bde8a746e 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,8 @@ PHP                                                                        NEWS
 - Core:
   . Added first-class callable cache to share instances for the duration of the
     request. (ilutov)
+  . It is now possible to use reference assign on WeakMap without the key
+    needing to be present beforehand. (nielsdos)
 
 - Intl:
   . Added IntlNumberRangeFormatter class to format an interval of two numbers
diff --git a/UPGRADING b/UPGRADING
index 51a057003b544..6873c276a0964 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -23,6 +23,10 @@ PHP 8.6 UPGRADE NOTES
 2. New Features
 ========================================
 
+- Core:
+  . It is now possible to use reference assign on WeakMap without the key
+    needing to be present beforehand.
+
 - Intl:
   . Added IntlNumberRangeFormatter class to format an interval of two numbers with a given skeleton, locale, IntlNumberRangeFormatter::COLLAPSE_AUTO, IntlNumberRangeFormatter::COLLAPSE_NONE, IntlNumberRangeFormatter::COLLAPSE_UNIT, IntlNumberRangeFormatter::COLLAPSE_ALL collapse and
     IntlNumberRangeFormatter::IDENTITY_FALLBACK_SINGLE_VALUE, IntlNumberRangeFormatter::IDENTITY_FALLBACK_APPROXIMATELY_OR_SINGLE_VALUE, IntlNumberRangeFormatter::IDENTITY_FALLBACK_APPROXIMATELY and
diff --git a/Zend/tests/weakrefs/weakmap_by_ref_dimension_assign.phpt b/Zend/tests/weakrefs/weakmap_by_ref_dimension_assign.phpt
new file mode 100644
index 0000000000000..6444de7eea6ba
--- /dev/null
+++ b/Zend/tests/weakrefs/weakmap_by_ref_dimension_assign.phpt
@@ -0,0 +1,13 @@
+--TEST--
+By-ref assign of WeakMap dimension
+--FILE--
+<?php
+$obj = new stdClass;
+$map = new WeakMap;
+$int = 0;
+$map[$obj] =& $int;
+$int++;
+var_dump($map[$obj]);
+?>
+--EXPECT--
+int(1)
diff --git a/Zend/zend_weakrefs.c b/Zend/zend_weakrefs.c
index 518d2d8eb9ee0..83a28808811d5 100644
--- a/Zend/zend_weakrefs.c
+++ b/Zend/zend_weakrefs.c
@@ -370,18 +370,25 @@ static zval *zend_weakmap_read_dimension(zend_object *object, zval *offset, int
 	zend_weakmap *wm = zend_weakmap_from(object);
 	zend_object *obj_addr = Z_OBJ_P(offset);
 	zval *zv = zend_hash_index_find(&wm->ht, zend_object_to_weakref_key(obj_addr));
-	if (zv == NULL) {
-		if (type != BP_VAR_IS) {
-			zend_throw_error(NULL,
-				"Object %s#%d not contained in WeakMap", ZSTR_VAL(obj_addr->ce->name), obj_addr->handle);
+	if (type == BP_VAR_W || type == BP_VAR_RW) {
+		if (zv == NULL) {
+			zval value;
+			zend_weakref_register(obj_addr, ZEND_WEAKREF_ENCODE(&wm->ht, ZEND_WEAKREF_TAG_MAP));
+			ZVAL_NULL(&value);
+			zv = zend_hash_index_add_new(&wm->ht, zend_object_to_weakref_key(obj_addr), &value);
+		}
+		ZVAL_MAKE_REF(zv);
+	} else {
+		if (zv == NULL) {
+			if (type != BP_VAR_IS) {
+				zend_throw_error(NULL,
+					"Object %s#%d not contained in WeakMap", ZSTR_VAL(obj_addr->ce->name), obj_addr->handle);
+				return NULL;
+			}
 			return NULL;
 		}
-		return NULL;
 	}
 
-	if (type == BP_VAR_W || type == BP_VAR_RW) {
-		ZVAL_MAKE_REF(zv);
-	}
 	return zv;
 }
 

From c5fa7696e64455a8b23f00985a3bad61ebc062e7 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 8 Oct 2025 09:31:00 +0200
Subject: [PATCH 4/6] Fix Randomizer::__serialize() wrt INDIRECTs

First follow-up to GH-20102.
INDIRECTs must never get exposed to userland. The simple solution is to
duplicate the properties array.

Closes GH-20103.
---
 NEWS                                           |  3 +++
 ext/random/randomizer.c                        |  3 +--
 .../methods/__serialize_indirects.phpt         | 18 ++++++++++++++++++
 3 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 ext/random/tests/03_randomizer/methods/__serialize_indirects.phpt

diff --git a/NEWS b/NEWS
index b2b8aaacf1520..12ccb411bb519 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,9 @@ PHP                                                                        NEWS
   . Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on
     reference). (nielsdos)
 
+- Random:
+  . Fix Randomizer::__serialize() w.r.t. INDIRECTs. (nielsdos)
+
 23 Oct 2025, PHP 8.3.27
 
 - Core:
diff --git a/ext/random/randomizer.c b/ext/random/randomizer.c
index fe9ad5fc35a9c..6254fe27c9c56 100644
--- a/ext/random/randomizer.c
+++ b/ext/random/randomizer.c
@@ -468,8 +468,7 @@ PHP_METHOD(Random_Randomizer, __serialize)
 	ZEND_PARSE_PARAMETERS_NONE();
 
 	array_init(return_value);
-	ZVAL_ARR(&t, zend_std_get_properties(&randomizer->std));
-	Z_TRY_ADDREF(t);
+	ZVAL_ARR(&t, zend_array_dup(zend_std_get_properties(&randomizer->std)));
 	zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &t);
 }
 /* }}} */
diff --git a/ext/random/tests/03_randomizer/methods/__serialize_indirects.phpt b/ext/random/tests/03_randomizer/methods/__serialize_indirects.phpt
new file mode 100644
index 0000000000000..1207e18dd829c
--- /dev/null
+++ b/ext/random/tests/03_randomizer/methods/__serialize_indirects.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Random: Engine: __serialize() must not expose INDIRECTs
+--FILE--
+<?php
+
+$randomizer = new Random\Randomizer(null);
+var_dump($randomizer->__serialize());
+
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  array(1) {
+    ["engine"]=>
+    object(Random\Engine\Secure)#2 (0) {
+    }
+  }
+}

From 0458b3c8db791ebc569a5bf30111c6396a5266cc Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 8 Oct 2025 17:28:37 +0200
Subject: [PATCH 5/6] Fix GH-20101: SplHeap/SplPriorityQueue serialization
 exposes INDIRECTs

Exposing INDIRECTs to userland is not allowed and can lead to all sorts
of wrong behaviour. In this case it lead to UAF bugs.
Solve it by duplicating the properties table, which de-indirects the
elements and also decouples it for future modifications.

Closes GH-20102.
---
 NEWS                                          |  3 ++
 ext/spl/spl_heap.c                            | 35 ++++---------
 .../SplHeap_serialize_indexed_format.phpt     |  4 +-
 ext/spl/tests/gh20101.phpt                    | 49 +++++++++++++++++++
 4 files changed, 63 insertions(+), 28 deletions(-)
 create mode 100644 ext/spl/tests/gh20101.phpt

diff --git a/NEWS b/NEWS
index 93b2616f71f53..4b09eacae5da9 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.5.0RC3
 
+- SPL:
+  . Fixed bug GH-20101 (SplHeap/SplPriorityQueue serialization
+    exposes INDIRECTs). (nielsdos)
 
 09 Oct 2025, PHP 8.5.0RC2
 
diff --git a/ext/spl/spl_heap.c b/ext/spl/spl_heap.c
index 19e86b0d80b72..254fbde7b3ff0 100644
--- a/ext/spl/spl_heap.c
+++ b/ext/spl/spl_heap.c
@@ -1167,7 +1167,7 @@ static zend_result spl_heap_unserialize_internal_state(HashTable *state_ht, spl_
 	return SUCCESS;
 }
 
-PHP_METHOD(SplPriorityQueue, __serialize)
+static void spl_heap_serialize_internal(INTERNAL_FUNCTION_PARAMETERS, bool is_pqueue)
 {
 	spl_heap_object *intern = Z_SPLHEAP_P(ZEND_THIS);
 	zval props, state;
@@ -1185,14 +1185,18 @@ PHP_METHOD(SplPriorityQueue, __serialize)
 
 	array_init(return_value);
 
-	ZVAL_ARR(&props, zend_std_get_properties(&intern->std));
-	Z_TRY_ADDREF(props);
+	ZVAL_ARR(&props, zend_array_dup(zend_std_get_properties(&intern->std)));
 	zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &props);
 
-	spl_heap_serialize_internal_state(&state, intern, true);
+	spl_heap_serialize_internal_state(&state, intern, is_pqueue);
 	zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &state);
 }
 
+PHP_METHOD(SplPriorityQueue, __serialize)
+{
+	spl_heap_serialize_internal(INTERNAL_FUNCTION_PARAM_PASSTHRU, true);
+}
+
 PHP_METHOD(SplPriorityQueue, __unserialize)
 {
 	HashTable *data;
@@ -1241,28 +1245,7 @@ PHP_METHOD(SplPriorityQueue, __unserialize)
 
 PHP_METHOD(SplHeap, __serialize)
 {
-	spl_heap_object *intern = Z_SPLHEAP_P(ZEND_THIS);
-	zval props, state;
-
-	ZEND_PARSE_PARAMETERS_NONE();
-
-	if (UNEXPECTED(spl_heap_consistency_validations(intern, false) != SUCCESS)) {
-		RETURN_THROWS();
-	}
-
-	if (intern->heap->flags & SPL_HEAP_WRITE_LOCKED) {
-		zend_throw_exception(spl_ce_RuntimeException, "Cannot serialize heap while it is being modified.", 0);
-		RETURN_THROWS();
-	}
-
-	array_init(return_value);
-
-	ZVAL_ARR(&props, zend_std_get_properties(&intern->std));
-	Z_TRY_ADDREF(props);
-	zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &props);
-
-	spl_heap_serialize_internal_state(&state, intern, false);
-	zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &state);
+	spl_heap_serialize_internal(INTERNAL_FUNCTION_PARAM_PASSTHRU, false);
 }
 
 PHP_METHOD(SplHeap, __unserialize)
diff --git a/ext/spl/tests/SplHeap_serialize_indexed_format.phpt b/ext/spl/tests/SplHeap_serialize_indexed_format.phpt
index c201feb5716f6..21ea74c6bff9b 100644
--- a/ext/spl/tests/SplHeap_serialize_indexed_format.phpt
+++ b/ext/spl/tests/SplHeap_serialize_indexed_format.phpt
@@ -74,9 +74,9 @@ array(2) {
   [0]=>
   array(2) {
     ["flags"]=>
-    UNKNOWN:0
+    string(13) "user_property"
     ["heap_elements"]=>
-    UNKNOWN:0
+    string(13) "user_property"
   }
   [1]=>
   array(2) {
diff --git a/ext/spl/tests/gh20101.phpt b/ext/spl/tests/gh20101.phpt
new file mode 100644
index 0000000000000..ad2399d76c8e6
--- /dev/null
+++ b/ext/spl/tests/gh20101.phpt
@@ -0,0 +1,49 @@
+--TEST--
+GH-20101 (SplHeap/SplPriorityQueue serialization exposes INDIRECTs)
+--FILE--
+<?php
+class CustomHeap extends SplMaxHeap {
+    public $field = 0;
+}
+$heap = new CustomHeap();
+$data = $heap->__serialize();
+var_dump($data);
+
+class CustomPriorityQueue extends SplPriorityQueue {
+    public $field = 0;
+}
+$pqueue = new CustomPriorityQueue();
+$data = $pqueue->__serialize();
+var_dump($data);
+?>
+--EXPECT--
+array(2) {
+  [0]=>
+  array(1) {
+    ["field"]=>
+    int(0)
+  }
+  [1]=>
+  array(2) {
+    ["flags"]=>
+    int(0)
+    ["heap_elements"]=>
+    array(0) {
+    }
+  }
+}
+array(2) {
+  [0]=>
+  array(1) {
+    ["field"]=>
+    int(0)
+  }
+  [1]=>
+  array(2) {
+    ["flags"]=>
+    int(1)
+    ["heap_elements"]=>
+    array(0) {
+    }
+  }
+}

From a07d257790d23295dcbff52be29f822ee5c3a6f1 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 8 Oct 2025 18:56:19 +0200
Subject: [PATCH 6/6] Regenerate zend_vm_execute.h

---
 Zend/zend_vm_execute.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index bc0291692b07b..da8e40ec24017 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -78853,7 +78853,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_OPCODE_HANDLER_CCONV ZEND_FE_FETCH_RW_SPEC_V
 			while (1) {
 				if (UNEXPECTED(pos >= fe_ht->nNumUsed)) {
 					/* reached end of iteration */
-					goto fe_fetch_w_exit;
+					goto fe_fetch_w_exit_exc;
 				}
 				pos++;
 				value = &p->val;
@@ -78949,6 +78949,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_OPCODE_HANDLER_CCONV ZEND_FE_FETCH_RW_SPEC_V
 		}
 	} else {
 		zend_error(E_WARNING, "foreach() argument must be of type array|object, %s given", zend_zval_value_name(array));
+fe_fetch_w_exit_exc:
 		if (UNEXPECTED(EG(exception))) {
 			UNDEF_RESULT();
 			HANDLE_EXCEPTION();