|
 |
e9ca13 |
Adapted for PHP 5.5.6 from
|
|
|
e9ca13 |
|
|
|
e9ca13 |
From 9aa90145239bae82d2af0a99fdae4ab27eb5f4f2 Mon Sep 17 00:00:00 2001
|
|
|
e9ca13 |
From: Stanislav Malyshev <stas@php.net>
|
|
|
e9ca13 |
Date: Sun, 28 Sep 2014 14:19:31 -0700
|
|
|
e9ca13 |
Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits
|
|
|
e9ca13 |
only)
|
|
|
e9ca13 |
|
|
|
e9ca13 |
---
|
|
|
e9ca13 |
ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++
|
|
|
e9ca13 |
ext/standard/var_unserializer.c | 4 ++--
|
|
|
e9ca13 |
ext/standard/var_unserializer.re | 2 +-
|
|
|
e9ca13 |
3 files changed, 15 insertions(+), 3 deletions(-)
|
|
|
e9ca13 |
create mode 100644 ext/standard/tests/serialize/bug68044.phpt
|
|
|
e9ca13 |
|
|
|
e9ca13 |
diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt
|
|
|
e9ca13 |
new file mode 100644
|
|
|
e9ca13 |
index 0000000..031e44e
|
|
|
e9ca13 |
--- /dev/null
|
|
|
e9ca13 |
+++ b/ext/standard/tests/serialize/bug68044.phpt
|
|
|
e9ca13 |
@@ -0,0 +1,12 @@
|
|
|
e9ca13 |
+--TEST--
|
|
|
e9ca13 |
+Bug #68044 Integer overflow in unserialize() (32-bits only)
|
|
|
e9ca13 |
+--FILE--
|
|
|
e9ca13 |
+
|
|
|
e9ca13 |
+ echo unserialize('C:3:"XYZ":18446744075857035259:{}');
|
|
|
e9ca13 |
+?>
|
|
|
e9ca13 |
+===DONE==
|
|
|
e9ca13 |
+--EXPECTF--
|
|
|
e9ca13 |
+Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2
|
|
|
e9ca13 |
+
|
|
|
e9ca13 |
+Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2
|
|
|
e9ca13 |
+===DONE==
|
|
|
e9ca13 |
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
|
|
|
e9ca13 |
index 657051f..8129da3 100644
|
|
|
e9ca13 |
--- a/ext/standard/var_unserializer.c
|
|
|
e9ca13 |
+++ b/ext/standard/var_unserializer.c
|
|
|
e9ca13 |
@@ -369,7 +369,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
|
|
|
e9ca13 |
|
|
|
e9ca13 |
(*p) += 2;
|
|
|
e9ca13 |
|
|
|
e9ca13 |
- if (datalen < 0 || (*p) + datalen >= max) {
|
|
|
e9ca13 |
+ if (datalen < 0 || (max - (*p)) <= datalen) {
|
|
|
e9ca13 |
zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
|
|
|
e9ca13 |
return 0;
|
|
|
e9ca13 |
}
|
|
|
e9ca13 |
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
|
|
|
e9ca13 |
index 1307508..6de1583 100644
|
|
|
e9ca13 |
--- a/ext/standard/var_unserializer.re
|
|
|
e9ca13 |
+++ b/ext/standard/var_unserializer.re
|
|
|
e9ca13 |
@@ -375,7 +375,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
|
|
|
e9ca13 |
|
|
|
e9ca13 |
(*p) += 2;
|
|
|
e9ca13 |
|
|
|
e9ca13 |
- if (datalen < 0 || (*p) + datalen >= max) {
|
|
|
e9ca13 |
+ if (datalen < 0 || (max - (*p)) <= datalen) {
|
|
|
e9ca13 |
zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
|
|
|
e9ca13 |
return 0;
|
|
|
e9ca13 |
}
|
|
|
e9ca13 |
--
|
|
|
e9ca13 |
2.1.0
|
|
|
e9ca13 |
|