Fix GH-20503: Assertion failure with ext/date DateInterval property hash

When a DateInterval object has a circular reference (e.g., $obj->prop = $obj), calling json_encode() triggered an assertion failure because the get_properties handler modified a HashTable with refcount > 1.

Fixed by duplicating the properties HashTable when its refcount is greater than 1 before modifying it.

Author: heathdutton

ext/date/php_date.c

@@ -352,6 +352,7 @@ static HashTable *date_object_get_gc(zend_object *object, zval **table, int *n);
 static HashTable *date_object_get_properties_for(zend_object *object, zend_prop_purpose purpose);
 static HashTable *date_object_get_gc_interval(zend_object *object, zval **table, int *n);
 static HashTable *date_object_get_properties_interval(zend_object *object);
+static HashTable *date_object_get_properties_for_interval(zend_object *object, zend_prop_purpose purpose);
 static HashTable *date_object_get_gc_period(zend_object *object, zval **table, int *n);
 static HashTable *date_object_get_properties_for_timezone(zend_object *object, zend_prop_purpose purpose);
 static HashTable *date_object_get_gc_timezone(zend_object *object, zval **table, int *n);
@@ -1816,6 +1817,7 @@ static void date_register_classes(void) /* {{{ */
 	date_object_handlers_interval.read_property = date_interval_read_property;
 	date_object_handlers_interval.write_property = date_interval_write_property;
 	date_object_handlers_interval.get_properties = date_object_get_properties_interval;
+	date_object_handlers_interval.get_properties_for = date_object_get_properties_for_interval;
 	date_object_handlers_interval.get_property_ptr_ptr = date_interval_get_property_ptr_ptr;
 	date_object_handlers_interval.get_gc = date_object_get_gc_interval;
 	date_object_handlers_interval.compare = date_interval_compare_objects;
@@ -2155,6 +2157,7 @@ static zend_object *date_object_new_interval(zend_class_entry *class_type) /* {{
 
 	zend_object_std_init(&intern->std, class_type);
 	object_properties_init(&intern->std, class_type);
+	intern->props_cache = NULL;
 
 	return &intern->std;
 } /* }}} */
@@ -2240,6 +2243,48 @@ static HashTable *date_object_get_properties_interval(zend_object *object) /* {{
 	return props;
 } /* }}} */
 
+static HashTable *date_object_get_properties_for_interval(zend_object *object, zend_prop_purpose purpose) /* {{{ */
+{
+	HashTable *props;
+	php_interval_obj *intervalobj;
+
+	switch (purpose) {
+		case ZEND_PROP_PURPOSE_DEBUG:
+		case ZEND_PROP_PURPOSE_SERIALIZE:
+		case ZEND_PROP_PURPOSE_VAR_EXPORT:
+		case ZEND_PROP_PURPOSE_JSON:
+		case ZEND_PROP_PURPOSE_ARRAY_CAST:
+			break;
+		default:
+			return zend_std_get_properties_for(object, purpose);
+	}
+
+	intervalobj = php_interval_obj_from_obj(object);
+
+	if (!intervalobj->initialized) {
+		return zend_array_dup(zend_std_get_properties(object));
+	}
+
+	/* If cache exists and is actively in use (refcount > 1), we're in a recursive
+	 * call (e.g., circular reference during json_encode). Return the same cache
+	 * so that circular reference detection works correctly. */
+	if (intervalobj->props_cache && GC_REFCOUNT(intervalobj->props_cache) > 1) {
+		GC_ADDREF(intervalobj->props_cache);
+		return intervalobj->props_cache;
+	}
+
+	/* Create new cache or replace stale one */
+	if (intervalobj->props_cache) {
+		zend_hash_release(intervalobj->props_cache);
+	}
+	props = zend_array_dup(zend_std_get_properties(object));
+	date_interval_object_to_hash(intervalobj, props);
+	intervalobj->props_cache = props;
+
+	GC_ADDREF(props);
+	return props;
+} /* }}} */
+
 static zend_object *date_object_new_period(zend_class_entry *class_type) /* {{{ */
 {
 	php_period_obj *intern = zend_object_alloc(sizeof(php_period_obj), class_type);
@@ -2306,6 +2351,10 @@ static void date_object_free_storage_interval(zend_object *object) /* {{{ */
 		zend_string_release(intern->date_string);
 		intern->date_string = NULL;
 	}
+	if (intern->props_cache) {
+		zend_hash_release(intern->props_cache);
+		intern->props_cache = NULL;
+	}
 	timelib_rel_time_dtor(intern->diff);
 	zend_object_std_dtor(&intern->std);
 } /* }}} */

ext/date/php_date.h

@@ -75,6 +75,7 @@ struct _php_interval_obj {
 	bool              from_string;
 	zend_string      *date_string;
 	bool              initialized;
+	HashTable        *props_cache;
 	zend_object       std;
 };
 

ext/date/tests/bug-gh20503.phpt

@@ -0,0 +1,24 @@
+--TEST--
+GH-20503 (Assertion failure with DateInterval and json_encode on circular reference)
+--FILE--
+<?php
+$obj = new DateInterval('P1W');
+$obj->circular = $obj;
+
+// json_encode with circular reference previously caused an assertion failure
+// in debug builds when modifying a HashTable with refcount > 1
+$result = json_encode($obj);
+var_dump($result === false);
+var_dump(json_last_error() === JSON_ERROR_RECURSION);
+
+// Also verify array cast works
+$props = (array) $obj;
+var_dump(count($props) > 0);
+var_dump(isset($props['circular']));
+?>
+--EXPECTF--
+Deprecated: Creation of dynamic property DateInterval::$circular is deprecated in %s on line %d
+bool(true)
+bool(true)
+bool(true)
+bool(true)