Sanity-check array/object lengths during unserialization

Avoid OOM conditions in unserialize due to overly large array or
object length specifications.

Fix #78438: Corruption when __unserializing deeply nested structures

When storing two temporary variables for delayed __unserialize() calls,
we have to make sure that both fit into the s

Fix #78438: Corruption when __unserializing deeply nested structures

When storing two temporary variables for delayed __unserialize() calls,
we have to make sure that both fit into the same linked list element.
To that end we introduce the internal API `tmp_var` which allows to
reserve `num` slots in the same list element.

We also fix the `var_dtor_entries` struct definition to use the proper
size, namely `VAR_DTOR_ENTRIES_MAX`.

show more ...

Fix var_unserializer debug code

At least it now compiles and should be free of warnings.

Fix bug #77866: Port Serializable SPL classes to use __unserialize()

Payloads created using Serializable are still supported.

Fix leak on error in new serialization mechanism

Implement new custom object serialization mechanism

RFC: https://wiki.php.net/rfc/custom_object_serialization

Remove function_table var from the caller

function_table var is not used in call_user_function macro anymore
hence replace the usage with NULL

Remove yearly range from copyright notice

Remove the "o" serialization format

We never generate the "o" format during serialization, so let's not
keep this unnecessary attack surface around.

Implement typed properties

RFC: https://wiki.php.net/rfc/typed_properties_v2

This is a squash of PR #3734, which is a squash of PR #3313.

Co-authored-by: Bob Weinand <bobwe

Implement typed properties

RFC: https://wiki.php.net/rfc/typed_properties_v2

This is a squash of PR #3734, which is a squash of PR #3313.

Co-authored-by: Bob Weinand <bobwei9@hotmail.com>
Co-authored-by: Joe Watkins <krakjoe@php.net>
Co-authored-by: Dmitry Stogov <dmitry@zend.com>

show more ...

Improve unserialize()

Improve unserialize()

Remove unused ZEND_FILE_LINE in i_zval_ptr_dtor

Remove unused Git attributes ident

The $Id$ keywords were used in Subversion where they can be substituted
with filename, last revision number change, last changed date, and last
use

Remove unused Git attributes ident

The $Id$ keywords were used in Subversion where they can be substituted
with filename, last revision number change, last changed date, and last
user who changed it.

In Git this functionality is different and can be done with Git attribute
ident. These need to be defined manually for each file in the
.gitattributes file and are afterwards replaced with 40-character
hexadecimal blob object name which is based only on the particular file
contents.

This patch simplifies handling of $Id$ keywords by removing them since
they are not used anymore.

show more ...

Use better destructor (key may be only IS_STRING or IS_LONG).

se zval_ptr_dtor_str() instead of zend_string_release_ex(Z_STR(*), 0)

Merge branch 'PHP-7.2'

Merge branch 'PHP-7.1' into PHP-7.2

Fixed bug #74670

Validate that "C" serialization payload is followed by "}" prior to
calling the unserialize() handler. This mitigates issues caused by
unserialize() not correctly ha

Fixed bug #74670

Validate that "C" serialization payload is followed by "}" prior to
calling the unserialize() handler. This mitigates issues caused by
unserialize() not correctly handling strings that are not NUL
terminated. Making sure that there is a "}" at the end avoids the
problem.

show more ...

Fix #76300 - Dont attempt to change visibility of a parent private

Merge branch 'PHP-7.2'

* PHP-7.2:
Fix #76300 - Dont attempt to change visibility of a parent private

Removed useless zval_ptr_dtor()

Use zend_string_release_ex() instread of zend_string_release() in places, where we sure about string persistence.

Avoid useless checks, using zend_string_efree(), in cases where the string is known to be a temporary allocated zend_string.

Fix #76300 - Dont attempt to change visibility of a parent private