Fix GH-21731: Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state

iliaal · iliaal · commit cd7de3e39022 · 2026-04-11T21:34:46.000-04:00
The constructor rejects a seed that would leave the internal state all zero, because xoshiro256** with zero state produces 0 on every call forever. The unserialize callback didn't check the same invariant. A caller feeding a crafted serialized payload through __unserialize() ended up with a live engine that returned 0 from every operation. Match the constructor: reject the all-zero state from the unserialize callback too. The Mt19937-aliased __unserialize() wrapper turns the false return into the standard "Invalid serialization data" exception. Closes GH-21731
diff --git a/NEWS b/NEWS
@@ -31,6 +31,10 @@ PHP                                                                        NEWS
 - OpenSSL:
   . Fix a bunch of memory leaks and crashes on edge cases. (ndossche)
 
+- Random:
+  . Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize()
+    accepts all-zero state). (iliaal)
+
 - SPL:
   . Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent
     free). (Girgias)
diff --git a/ext/random/engine_xoshiro256starstar.c b/ext/random/engine_xoshiro256starstar.c
@@ -151,6 +151,12 @@ static bool unserialize(void *state, HashTable *data)
 		}
 	}
 
+	/* An all-zero state generates zero forever. The constructor rejects
+	 * such a seed; reject it here for symmetry. */
+	if (UNEXPECTED(s->state[0] == 0 && s->state[1] == 0 && s->state[2] == 0 && s->state[3] == 0)) {
+		return false;
+	}
+
 	return true;
 }
 
diff --git a/ext/random/tests/02_engine/xoshiro256starstar_unserialize_zero_state.phpt b/ext/random/tests/02_engine/xoshiro256starstar_unserialize_zero_state.phpt
@@ -0,0 +1,21 @@
+--TEST--
+GH-21731: Xoshiro256StarStar::__unserialize() must reject the all-zero state
+--FILE--
+<?php declare(strict_types = 1);
+
+use Random\Engine\Xoshiro256StarStar;
+
+try {
+    $engine = new Xoshiro256StarStar(42);
+    $engine->__unserialize([
+        [],
+        ['0000000000000000', '0000000000000000', '0000000000000000', '0000000000000000'],
+    ]);
+    echo "FAIL: __unserialize() accepted zero state\n";
+} catch (\Exception $e) {
+    echo $e::class, ': ', $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Exception: Invalid serialization data for Random\Engine\Xoshiro256StarStar object

Original file line number	Diff line number	Diff line change
`@@ -151,6 +151,12 @@ static bool unserialize(void state, HashTable data)`
`151`	`151`	`}`
`152`	`152`	`}`
`153`	`153`
	`154`	`+ /* An all-zero state generates zero forever. The constructor rejects`
	`155`	`+ * such a seed; reject it here for symmetry. */`
	`156`	`+ if (UNEXPECTED(s->state[0] == 0 && s->state[1] == 0 && s->state[2] == 0 && s->state[3] == 0)) {`
	`157`	`+ return false;`
	`158`	`+ }`
	`159`	`+`
`154`	`160`	`return true;`
`155`	`161`	`}`
`156`	`162`