From 816a47e4e579a41bb2d521ea3e8f15148f3552df Mon Sep 17 00:00:00 2001
From: arshidkv12 <arshidkv12@gmail.com>
Date: Tue, 19 May 2026 15:18:39 +0530
Subject: [PATCH 1/2] ext/spl: Fix ArrayObject unserialize validation for
 invalid iterator classes

---
 ext/spl/spl_array.c         |  3 ++-
 ext/spl/tests/GH-22047.phpt | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 ext/spl/tests/GH-22047.phpt

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 1f9f87d35841..61113d059d84 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1482,7 +1482,8 @@ PHP_METHOD(ArrayObject, __unserialize)
 			RETURN_THROWS();
 		}
 
-		if (!instanceof_function(ce, zend_ce_iterator)) {
+		if (!instanceof_function(ce, spl_ce_ArrayIterator) &&
+			!instanceof_function(ce, spl_ce_RecursiveArrayIterator)) {
 			zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0,
 				"Cannot deserialize ArrayObject with iterator class '%s'; this class does not implement the Iterator interface",
 				ZSTR_VAL(Z_STR_P(iterator_class_zv)));
diff --git a/ext/spl/tests/GH-22047.phpt b/ext/spl/tests/GH-22047.phpt
new file mode 100644
index 000000000000..4eb849b491c6
--- /dev/null
+++ b/ext/spl/tests/GH-22047.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-22047: ArrayObject invalid iterator class in serialized payload
+--FILE--
+<?php
+
+$payload = 'O:11:"ArrayObject":4:{i:0;i:0;i:1;a:2:{i:4;d:0.0;i:1;b:1;}i:2;a:0:{}i:3;s:12:"GlobIterator";}';
+
+try {
+    $obj = unserialize($payload);
+    foreach ($obj as $k => $v) {
+        echo "should not reach here\n";
+    }
+} catch (UnexpectedValueException $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECTF--
+Cannot deserialize ArrayObject with iterator class 'GlobIterator'; this class does not implement the Iterator interface

From 2b452cf983723a133b378301a029b9c20459a65f Mon Sep 17 00:00:00 2001
From: arshidkv12 <arshidkv12@gmail.com>
Date: Tue, 19 May 2026 18:31:45 +0530
Subject: [PATCH 2/2] ext/spl: Fix ArrayObject unserialize validation for
 invalid iterator classes

---
 ext/spl/spl_array.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 61113d059d84..4577bf19017b 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1482,8 +1482,7 @@ PHP_METHOD(ArrayObject, __unserialize)
 			RETURN_THROWS();
 		}
 
-		if (!instanceof_function(ce, spl_ce_ArrayIterator) &&
-			!instanceof_function(ce, spl_ce_RecursiveArrayIterator)) {
+		if (!instanceof_function(ce, spl_ce_ArrayIterator)) {
 			zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0,
 				"Cannot deserialize ArrayObject with iterator class '%s'; this class does not implement the Iterator interface",
 				ZSTR_VAL(Z_STR_P(iterator_class_zv)));