From 816a47e4e579a41bb2d521ea3e8f15148f3552df Mon Sep 17 00:00:00 2001
From: arshidkv12 <arshidkv12@gmail.com>
Date: Tue, 19 May 2026 15:18:39 +0530
Subject: [PATCH 1/3] ext/spl: Fix ArrayObject unserialize validation for
 invalid iterator classes

---
 ext/spl/spl_array.c         |  3 ++-
 ext/spl/tests/GH-22047.phpt | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 ext/spl/tests/GH-22047.phpt

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 1f9f87d35841..61113d059d84 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1482,7 +1482,8 @@ PHP_METHOD(ArrayObject, __unserialize)
 			RETURN_THROWS();
 		}
 
-		if (!instanceof_function(ce, zend_ce_iterator)) {
+		if (!instanceof_function(ce, spl_ce_ArrayIterator) &&
+			!instanceof_function(ce, spl_ce_RecursiveArrayIterator)) {
 			zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0,
 				"Cannot deserialize ArrayObject with iterator class '%s'; this class does not implement the Iterator interface",
 				ZSTR_VAL(Z_STR_P(iterator_class_zv)));
diff --git a/ext/spl/tests/GH-22047.phpt b/ext/spl/tests/GH-22047.phpt
new file mode 100644
index 000000000000..4eb849b491c6
--- /dev/null
+++ b/ext/spl/tests/GH-22047.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-22047: ArrayObject invalid iterator class in serialized payload
+--FILE--
+<?php
+
+$payload = 'O:11:"ArrayObject":4:{i:0;i:0;i:1;a:2:{i:4;d:0.0;i:1;b:1;}i:2;a:0:{}i:3;s:12:"GlobIterator";}';
+
+try {
+    $obj = unserialize($payload);
+    foreach ($obj as $k => $v) {
+        echo "should not reach here\n";
+    }
+} catch (UnexpectedValueException $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECTF--
+Cannot deserialize ArrayObject with iterator class 'GlobIterator'; this class does not implement the Iterator interface

From 2b452cf983723a133b378301a029b9c20459a65f Mon Sep 17 00:00:00 2001
From: arshidkv12 <arshidkv12@gmail.com>
Date: Tue, 19 May 2026 18:31:45 +0530
Subject: [PATCH 2/3] ext/spl: Fix ArrayObject unserialize validation for
 invalid iterator classes

---
 ext/spl/spl_array.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 61113d059d84..4577bf19017b 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1482,8 +1482,7 @@ PHP_METHOD(ArrayObject, __unserialize)
 			RETURN_THROWS();
 		}
 
-		if (!instanceof_function(ce, spl_ce_ArrayIterator) &&
-			!instanceof_function(ce, spl_ce_RecursiveArrayIterator)) {
+		if (!instanceof_function(ce, spl_ce_ArrayIterator)) {
 			zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0,
 				"Cannot deserialize ArrayObject with iterator class '%s'; this class does not implement the Iterator interface",
 				ZSTR_VAL(Z_STR_P(iterator_class_zv)));

From e6834bd018f77631375d3b07d9c9d6d6ec12e1d8 Mon Sep 17 00:00:00 2001
From: arshidkv12 <arshidkv12@gmail.com>
Date: Sun, 24 May 2026 21:24:09 +0530
Subject: [PATCH 3/3] ext/spl: Fix ArrayObject unserialize validation for
 invalid iterator classes

---
 ext/spl/spl_array.c                   | 2 +-
 ext/spl/tests/GH-22047.phpt           | 2 +-
 ext/spl/tests/unserialize_errors.phpt | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 4577bf19017b..3c776bebd1ef 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1484,7 +1484,7 @@ PHP_METHOD(ArrayObject, __unserialize)
 
 		if (!instanceof_function(ce, spl_ce_ArrayIterator)) {
 			zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0,
-				"Cannot deserialize ArrayObject with iterator class '%s'; this class does not implement the Iterator interface",
+				"Cannot deserialize ArrayObject with iterator class '%s'; this class is not derived from ArrayIterator",
 				ZSTR_VAL(Z_STR_P(iterator_class_zv)));
 			RETURN_THROWS();
 		}
diff --git a/ext/spl/tests/GH-22047.phpt b/ext/spl/tests/GH-22047.phpt
index 4eb849b491c6..1c53cbcc79f5 100644
--- a/ext/spl/tests/GH-22047.phpt
+++ b/ext/spl/tests/GH-22047.phpt
@@ -16,4 +16,4 @@ try {
 
 ?>
 --EXPECTF--
-Cannot deserialize ArrayObject with iterator class 'GlobIterator'; this class does not implement the Iterator interface
+Cannot deserialize ArrayObject with iterator class 'GlobIterator'; this class is not derived from ArrayIterator
diff --git a/ext/spl/tests/unserialize_errors.phpt b/ext/spl/tests/unserialize_errors.phpt
index 1138b5c8cd54..64356923ae29 100644
--- a/ext/spl/tests/unserialize_errors.phpt
+++ b/ext/spl/tests/unserialize_errors.phpt
@@ -144,7 +144,7 @@ Incomplete or ill-typed serialization data
 Passed variable is not an array or object
 Incomplete or ill-typed serialization data
 Cannot deserialize ArrayObject with iterator class 'NonExistent'; no such class exists
-Cannot deserialize ArrayObject with iterator class 'Existent'; this class does not implement the Iterator interface
+Cannot deserialize ArrayObject with iterator class 'Existent'; this class is not derived from ArrayIterator
 ArrayIterator:
 Incomplete or ill-typed serialization data
 Incomplete or ill-typed serialization data