ext/spl: Fix ArrayObject unserialize validation for invalid iterator classes

arshidkv12 · arshidkv12 · commit 816a47e4e579 · 2026-05-19T15:18:39.000+05:30
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
@@ -1482,7 +1482,8 @@ PHP_METHOD(ArrayObject, __unserialize)
 			RETURN_THROWS();
 		}
 
-		if (!instanceof_function(ce, zend_ce_iterator)) {
+		if (!instanceof_function(ce, spl_ce_ArrayIterator) &&
+			!instanceof_function(ce, spl_ce_RecursiveArrayIterator)) {
 			zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0,
 				"Cannot deserialize ArrayObject with iterator class '%s'; this class does not implement the Iterator interface",
 				ZSTR_VAL(Z_STR_P(iterator_class_zv)));
diff --git a/ext/spl/tests/GH-22047.phpt b/ext/spl/tests/GH-22047.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-22047: ArrayObject invalid iterator class in serialized payload
+--FILE--
+<?php
+
+$payload = 'O:11:"ArrayObject":4:{i:0;i:0;i:1;a:2:{i:4;d:0.0;i:1;b:1;}i:2;a:0:{}i:3;s:12:"GlobIterator";}';
+
+try {
+    $obj = unserialize($payload);
+    foreach ($obj as $k => $v) {
+        echo "should not reach here\n";
+    }
+} catch (UnexpectedValueException $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECTF--
+Cannot deserialize ArrayObject with iterator class 'GlobIterator'; this class does not implement the Iterator interface

Original file line number	Diff line number	Diff line change
`@@ -1482,7 +1482,8 @@ PHP_METHOD(ArrayObject, __unserialize)`
`1482`	`1482`	`RETURN_THROWS();`
`1483`	`1483`	`}`
`1484`	`1484`
`1485`		`- if (!instanceof_function(ce, zend_ce_iterator)) {`
	`1485`	`+ if (!instanceof_function(ce, spl_ce_ArrayIterator) &&`
	`1486`	`+ !instanceof_function(ce, spl_ce_RecursiveArrayIterator)) {`
`1486`	`1487`	`zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0,`
`1487`	`1488`	`"Cannot deserialize ArrayObject with iterator class '%s'; this class does not implement the Iterator interface",`
`1488`	`1489`	`ZSTR_VAL(Z_STR_P(iterator_class_zv)));`