From 343b9907a9a150f818ed4e17b0c6b509e9360c6e Mon Sep 17 00:00:00 2001
From: Tyson Andre <tysonandre775@hotmail.com>
Date: Wed, 30 Dec 2020 19:05:12 -0500
Subject: [PATCH] Fix edge case serializing __PHP_Incomplete_Class properties.

This was using strcmp instead of zend_string_equals_literal.
As a result, the property count didn't match the number of properties
being serialized if properties started with
"__PHP_Incomplete_Class\0" (unlikely)

(before, `'O:8:"Missing_":1:{}'` would be serialized, which failed to
unserialize)

Everywhere else expects the MAGIC_MEMBER to match exactly,
and this should use zend_string_equals_literal as an example for other code.

This has used strcmp since 2004 in deb84befae4bbc3686a4f2ed82b04e2cabae5dc0
---
 .../serialize/incomplete_class_magic.phpt     | 32 +++++++++++++++++++
 ext/standard/var.c                            |  2 +-
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 ext/standard/tests/serialize/incomplete_class_magic.phpt

diff --git a/ext/standard/tests/serialize/incomplete_class_magic.phpt b/ext/standard/tests/serialize/incomplete_class_magic.phpt
new file mode 100644
index 0000000000000..bef139740c59c
--- /dev/null
+++ b/ext/standard/tests/serialize/incomplete_class_magic.phpt
@@ -0,0 +1,32 @@
+--TEST--
+(un)serializing __PHP_Incomplete_Class instance edge case
+--FILE--
+<?php
+
+$serialized = 'O:8:"Missing_":1:{s:33:"__PHP_Incomplete_Class_Name' . "\0" . 'other";i:123;}';
+ob_start();
+$o = unserialize($serialized);
+var_dump($o);
+$reserialized = serialize($o);
+var_dump(unserialize($reserialized));
+// Pretty print null bytes
+echo str_replace("\0", "\\0", ob_get_clean());
+
+// The serialization should have a property count of 1 and a property set with 1 element.
+var_export($reserialized);
+echo "\n";
+?>
+--EXPECT--
+object(__PHP_Incomplete_Class)#1 (2) {
+  ["__PHP_Incomplete_Class_Name"]=>
+  string(8) "Missing_"
+  ["__PHP_Incomplete_Class_Name\0other"]=>
+  int(123)
+}
+object(__PHP_Incomplete_Class)#2 (2) {
+  ["__PHP_Incomplete_Class_Name"]=>
+  string(8) "Missing_"
+  ["__PHP_Incomplete_Class_Name\0other"]=>
+  int(123)
+}
+'O:8:"Missing_":1:{s:33:"__PHP_Incomplete_Class_Name' . "\0" . 'other";i:123;}'
diff --git a/ext/standard/var.c b/ext/standard/var.c
index fef62dd482349..867554fe38bad 100644
--- a/ext/standard/var.c
+++ b/ext/standard/var.c
@@ -878,7 +878,7 @@ static void php_var_serialize_nested_data(smart_str *buf, zval *struc, HashTable
 		zend_ulong index;
 
 		ZEND_HASH_FOREACH_KEY_VAL_IND(ht, index, key, data) {
-			if (incomplete_class && strcmp(ZSTR_VAL(key), MAGIC_MEMBER) == 0) {
+			if (incomplete_class && zend_string_equals_literal(key, MAGIC_MEMBER)) {
 				continue;
 			}