From 6d7addeb44744dcf0f36d2aac34be5e12de23c5d Mon Sep 17 00:00:00 2001
From: W0rty
Date: Fri, 27 Mar 2026 22:15:59 +0100
Subject: Fix the usage of strlen() which will return a wrong size when
 serialized objects contains null bytes (for example in private fields)

---
 src/sp_unserialize.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sp_unserialize.c b/src/sp_unserialize.c
index 3e810fc..b7c5e1b 100644
--- a/src/sp_unserialize.c
+++ b/src/sp_unserialize.c
@@ -137,7 +137,7 @@ PHP_FUNCTION(sp_unserialize) {
   char* serialized_str = ecalloc(buf_len - 64 + 1, 1);
   memcpy(serialized_str, buf, buf_len - 64);
 
-  zend_string *expected_hmac = sp_do_hash_hmac_sha256(serialized_str, strlen(serialized_str), ZSTR_VAL(SPCFG(encryption_key)), ZSTR_LEN(SPCFG(encryption_key)));
+  zend_string *expected_hmac = sp_do_hash_hmac_sha256(serialized_str, buf_len - 64, ZSTR_VAL(SPCFG(encryption_key)), ZSTR_LEN(SPCFG(encryption_key)));
 
   unsigned int status = 0;
   if (expected_hmac) {
-- 
cgit v1.3