Fixed bug #74103 and bug #75054

Directly fail unserialization when trying to acquire an r/R
reference to an UNDEF HT slot. Previously this left an UNDEF and
later deleted the index/key from the HT.

What actually caused the issue here is a combination of two
factors: First, the key deletion was performed using the hash API,
rather than the symtable API, such that the element was not actually
removed if it used an integral string key. Second, a subsequent
deletion operation, while collecting trailing UNDEF ranges, would
mark the element as available for reuse (leaving a corrupted HT
state with nNumOfElemnts > nNumUsed).

Fix this by failing early and dropping the deletion code.

1 files changed, 9 insertions, 0 deletions

diff --git a/ext/standard/tests/serialize/bug74103.phpt b/ext/standard/tests/serialize/bug74103.phpt
new file mode 100644
index 0000000000..3d474b31b1
--- /dev/null
+++ b/ext/standard/tests/serialize/bug74103.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #74103: heap-use-after-free when unserializing invalid array size
+--FILE--
+<?php
+var_dump(unserialize('a:7:{i:0;i:04;s:1:"a";i:2;i:00009617006;i:4;s:1:"a";i:4;s:1:"a";R:5;s:1:"7";R:3;s:1:"a";R:5;;s:18;}}'));
+?>
+--EXPECTF--
+Notice: unserialize(): Error at offset 68 of 100 bytes in %s on line %d
+bool(false)