Fixed bug #43614 (incorrect processing of numerical string keys of array in arbitrary serialized data)

4 files changed, 27 insertions, 4 deletions

diff --git a/NEWS b/NEWS
index 891c0d8003..629e0121d3 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,8 @@ PHP                                                                        NEWS
 - Fixed bug #44373 (PDO_OCI extension compile failed). (Felipe)
 - Fixed bug #43677 (Inconsistent behaviour of include_path set with
   php_value). (manuel at mausz dot at)
+- Fixed bug #43614 (incorrect processing of numerical string keys of array in 
+  arbitrary serialized data). (Dmitriy Buldakov, Felipe)
 - Fixed bug #42177 (Warning "array_merge_recursive(): recursion detected" comes 
   again...). (Felipe)
 - Fixed bug #41828 (Failing to call RecursiveIteratorIterator::__construct() 
diff --git a/ext/standard/tests/serialize/bug43614.phpt b/ext/standard/tests/serialize/bug43614.phpt
new file mode 100644
index 0000000000..127dfba586
--- /dev/null
+++ b/ext/standard/tests/serialize/bug43614.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #43614 (incorrect processing of numerical string keys of array in arbitrary serialized data)
+--FILE--
+<?php
+
+error_reporting(E_ALL);
+
+var_dump($a = unserialize('a:2:{s:2:"10";i:1;s:2:"01";i:2;}'));
+var_dump($a['10']);
+var_dump($a['01']);
+
+?>
+--EXPECT--
+array(2) {
+  [10]=>
+  int(1)
+  ["01"]=>
+  int(2)
+}
+int(1)
+int(2)
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index 934dfb4514..142d4d2d9f 100644
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -290,10 +290,10 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 				zend_hash_index_update(ht, Z_LVAL_P(key), &data, sizeof(data), NULL);
 				break;
 			case IS_STRING:
-				if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+				if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
 					var_push_dtor(var_hash, old_data);
 				}
-				zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
+				zend_symtable_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
 				break;
 		}
 		
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index a54da2ec67..ef3b07fcf6 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -294,10 +294,10 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 				zend_hash_index_update(ht, Z_LVAL_P(key), &data, sizeof(data), NULL);
 				break;
 			case IS_STRING:
-				if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+				if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
 					var_push_dtor(var_hash, old_data);
 				}
-				zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
+				zend_symtable_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
 				break;
 		}