Fix GH-21682: reject ZipArchive serialization via __serialize()

ZipArchive wraps a libzip handle that cannot survive serialization:
serialize() produced a string that unserialized into an empty object
with numFiles 0, and that unserialize path was the bug72434
use-after-free vector. Add __serialize() and __unserialize() that throw,
so the base class rejects (un)serialization and the UAF is closed by
construction, while a subclass can still override both to round-trip
through closeString()/openString(). Move the bug72434 test to
ext/zip/tests since it now requires the zip extension.

Fixes GH-21682

Author: iliaal

ext/standard/tests/strings/bug72434.phpt

@@ -25,6 +25,7 @@
 #include "ext/standard/php_filestat.h"
 #include "zend_attributes.h"
 #include "zend_interfaces.h"
+#include "zend_exceptions.h"
 #include "php_zip.h"
 #include "php_zip_arginfo.h"
 
@@ -1645,6 +1646,30 @@ PHP_METHOD(ZipArchive, count)
 }
 /* }}} */
 
+PHP_METHOD(ZipArchive, __serialize)
+{
+	ZEND_PARSE_PARAMETERS_NONE();
+
+	zend_throw_exception_ex(NULL, 0,
+		"Serialization of '%s' is not allowed, override __serialize() and __unserialize() to implement it",
+		ZSTR_VAL(Z_OBJCE_P(ZEND_THIS)->name));
+}
+
+PHP_METHOD(ZipArchive, __unserialize)
+{
+	zval *data;
+
+	ZEND_PARSE_PARAMETERS_START(1, 1)
+		Z_PARAM_ARRAY(data)
+	ZEND_PARSE_PARAMETERS_END();
+
+	(void) data;
+
+	zend_throw_exception_ex(NULL, 0,
+		"Unserialization of '%s' is not allowed, override __serialize() and __unserialize() to implement it",
+		ZSTR_VAL(Z_OBJCE_P(ZEND_THIS)->name));
+}
+
 /* {{{ clear the internal status */
 PHP_METHOD(ZipArchive, clearError)
 {

ext/zip/php_zip.c

@@ -661,6 +661,10 @@ public function closeString(): string|false {}
     /** @tentative-return-type */
     public function count(): int {}
 
+    public function __serialize(): array {}
+
+    public function __unserialize(array $data): void {}
+
     /** @tentative-return-type */
     public function getStatusString(): string {}
 

ext/zip/php_zip.stub.php

@@ -0,0 +1,17 @@
+--TEST--
+Bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
+--EXTENSIONS--
+zip
+--FILE--
+<?php
+$free_me = array(new StdClass());
+$serialized_payload = 'a:3:{i:1;N;i:2;O:10:"ZipArchive":1:{s:8:"filename";'.serialize($free_me).'}i:1;R:4;}';
+try {
+    $unserialized_payload = unserialize($serialized_payload);
+    var_dump($unserialized_payload);
+} catch (Exception $e) {
+    echo $e->getMessage() . "\n";
+}
+?>
+--EXPECT--
+Unserialization of 'ZipArchive' is not allowed, override __serialize() and __unserialize() to implement it

ext/zip/php_zip_arginfo.h

@@ -0,0 +1,16 @@
+--TEST--
+GH-21682 (ZipArchive serialization is rejected)
+--EXTENSIONS--
+zip
+--FILE--
+<?php
+$a = new ZipArchive();
+try {
+    serialize($a);
+    echo "ERROR: should have thrown\n";
+} catch (\Exception $e) {
+    echo $e->getMessage() . "\n";
+}
+?>
+--EXPECT--
+Serialization of 'ZipArchive' is not allowed, override __serialize() and __unserialize() to implement it

ext/zip/tests/bug72434.phpt

@@ -0,0 +1,32 @@
+--TEST--
+GH-21682 (ZipArchive subclass implements serialization via __serialize()/__unserialize())
+--EXTENSIONS--
+zip
+--FILE--
+<?php
+class MyArchive extends ZipArchive
+{
+    public function __serialize(): array
+    {
+        return ['data' => $this->closeString()];
+    }
+
+    public function __unserialize(array $data): void
+    {
+        $this->openString($data['data']);
+    }
+}
+
+$zip = new MyArchive();
+$zip->openString();
+$zip->addFromString('test1', 'abc123');
+
+$roundtrip = unserialize(serialize($zip));
+var_dump($roundtrip instanceof MyArchive);
+var_dump($roundtrip->numFiles);
+var_dump($roundtrip->getFromName('test1'));
+?>
+--EXPECT--
+bool(true)
+int(1)
+string(6) "abc123"