General fix

kocsismate · kocsismate · commit a333d79f0f16 · 2026-05-31T23:39:53.000+02:00
diff --git a/ext/standard/tests/serialize/serialization_objects_009.phpt b/ext/standard/tests/serialize/serialization_objects_009.phpt
@@ -3,22 +3,24 @@ Custom unserialization of classes with no custom unserializer.
 --FILE--
 <?php
 $ser = 'C:1:"C":6:{dasdas}';
-$a = unserialize($ser);
+
+try {
+    unserialize($ser);
+} catch (Throwable $e) {
+    echo $e::class, ": ", $e->getMessage(), PHP_EOL;
+}
+
 eval('class C {}');
-$b = unserialize($ser);
 
-var_dump($a, $b);
+try {
+    unserialize($ser);
+} catch (Throwable $e) {
+    echo $e::class, ": ", $e->getMessage(), PHP_EOL;
+}
 
 echo "Done";
 ?>
---EXPECTF--
-Warning: Class __PHP_Incomplete_Class has no unserializer in %sserialization_objects_009.php on line %d
-
-Warning: Class C has no unserializer in %sserialization_objects_009.php on line %d
-object(__PHP_Incomplete_Class)#%d (1) {
-  ["__PHP_Incomplete_Class_Name"]=>
-  string(1) "C"
-}
-object(C)#%d (0) {
-}
+--EXPECT--
+Exception: Class __PHP_Incomplete_Class has no unserializer
+Exception: Class C has no unserializer
 Done
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
@@ -771,7 +771,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
 	}
 
 	if (ce->unserialize == NULL) {
-		zend_error(E_WARNING, "Class %s has no unserializer", ZSTR_VAL(ce->name));
+		zend_throw_exception_ex(NULL, 0,  "Class %s has no unserializer", ZSTR_VAL(ce->name));
 		object_init_ex(rval, ce);
 	} else if (ce->unserialize(rval, ce, (const unsigned char*)*p, datalen, (zend_unserialize_data *)var_hash) != SUCCESS) {
 		return 0;
diff --git a/ext/uri/tests/gh22046.phpt b/ext/uri/tests/gh22046.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GH-22046: The unserialize function with Uri\WhatWg\Url leads to NULL pointer dereference when object serialized back
+--FILE--
+<?php
+
+$payload = 'C:14:"Uri\WhatWg\Url":0:{}';
+try {
+    unserialize($payload);
+} catch (Throwable $e) {
+    echo $e::class, ": ", $e->getMessage(), PHP_EOL;
+}
+
+$payload = 'C:15:"Uri\Rfc3986\Uri":0:{}';
+try {
+    unserialize($payload);
+} catch (Throwable $e) {
+    echo $e::class, ": ", $e->getMessage(), PHP_EOL;
+}
+?>
+--EXPECT--
+Exception: Class Uri\WhatWg\Url has no unserializer
+Exception: Class Uri\Rfc3986\Uri has no unserializer

Original file line number	Diff line number	Diff line change
`@@ -771,7 +771,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)`
`771`	`771`	`}`
`772`	`772`
`773`	`773`	`if (ce->unserialize == NULL) {`
`774`		`- zend_error(E_WARNING, "Class %s has no unserializer", ZSTR_VAL(ce->name));`
	`774`	`+ zend_throw_exception_ex(NULL, 0, "Class %s has no unserializer", ZSTR_VAL(ce->name));`
`775`	`775`	`object_init_ex(rval, ce);`
`776`	`776`	`} else if (ce->unserialize(rval, ce, (const unsigned char)p, datalen, (zend_unserialize_data *)var_hash) != SUCCESS) {`
`777`	`777`	`return 0;`