|
 |
925b0d |
Patch cleanup for 5.6.5
|
|
|
925b0d |
|
|
|
925b0d |
From b7fa67742cd8d2b0ca0c0273b157f6ffee9ad6e2 Mon Sep 17 00:00:00 2001
|
|
|
925b0d |
From: Stanislav Malyshev <stas@php.net>
|
|
|
925b0d |
Date: Sun, 26 Jul 2015 17:25:25 -0700
|
|
|
925b0d |
Subject: [PATCH] Fix bug #70068 (Dangling pointer in the unserialization of
|
|
|
925b0d |
ArrayObject items)
|
|
|
925b0d |
|
|
|
925b0d |
---
|
|
|
925b0d |
ext/spl/spl_array.c | 90 +++++++++++++++++++++++----------------------
|
|
|
925b0d |
ext/spl/tests/bug70068.phpt | 9 +++++
|
|
|
925b0d |
2 files changed, 56 insertions(+), 43 deletions(-)
|
|
|
925b0d |
create mode 100644 ext/spl/tests/bug70068.phpt
|
|
|
925b0d |
|
|
|
925b0d |
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
|
|
|
925b0d |
index ec9ce21..a37eced 100644
|
|
|
925b0d |
--- a/ext/spl/spl_array.c
|
|
|
925b0d |
+++ b/ext/spl/spl_array.c
|
|
|
925b0d |
@@ -1770,13 +1770,11 @@ SPL_METHOD(Array, unserialize)
|
|
|
925b0d |
|
|
|
925b0d |
ALLOC_INIT_ZVAL(pflags);
|
|
|
925b0d |
if (!php_var_unserialize(&pflags, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pflags) != IS_LONG) {
|
|
|
925b0d |
- zval_ptr_dtor(&pflags);
|
|
|
925b0d |
goto outexcept;
|
|
|
925b0d |
}
|
|
|
925b0d |
|
|
|
925b0d |
--p; /* for ';' */
|
|
|
925b0d |
flags = Z_LVAL_P(pflags);
|
|
|
925b0d |
- zval_ptr_dtor(&pflags);
|
|
|
925b0d |
/* flags needs to be verified and we also need to verify whether the next
|
|
|
925b0d |
* thing we get is ';'. After that we require an 'm' or somethign else
|
|
|
925b0d |
* where 'm' stands for members and anything else should be an array. If
|
|
|
925b0d |
@@ -1826,10 +1824,16 @@ SPL_METHOD(Array, unserialize)
|
|
|
925b0d |
/* done reading $serialized */
|
|
|
925b0d |
|
|
|
925b0d |
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
|
|
|
925b0d |
+ if (pflags) {
|
|
|
925b0d |
+ zval_ptr_dtor(&pflags);
|
|
|
925b0d |
+ }
|
|
|
925b0d |
return;
|
|
|
925b0d |
|
|
|
925b0d |
outexcept:
|
|
|
925b0d |
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
|
|
|
925b0d |
+ if (pflags) {
|
|
|
925b0d |
+ zval_ptr_dtor(&pflags);
|
|
|
925b0d |
+ }
|
|
|
925b0d |
zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len);
|
|
|
925b0d |
return;
|
|
|
925b0d |
|
|
|
925b0d |
diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt
|
|
|
925b0d |
new file mode 100644
|
|
|
925b0d |
index 0000000..92a38df
|
|
|
925b0d |
--- /dev/null
|
|
|
925b0d |
+++ b/ext/spl/tests/bug70068.phpt
|
|
|
925b0d |
@@ -0,0 +1,9 @@
|
|
|
925b0d |
+--TEST--
|
|
|
925b0d |
+Bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
|
|
|
925b0d |
+--FILE--
|
|
|
925b0d |
+
|
|
|
925b0d |
+$a = unserialize('a:3:{i:0;C:11:"ArrayObject":20:{x:i:0;r:3;;m:a:0:{};}i:1;d:11;i:2;S:31:"AAAAAAAABBBBCCCC\01\00\00\00\04\00\00\00\00\00\00\00\00\00\00";}');
|
|
|
925b0d |
+?>
|
|
|
925b0d |
+OK
|
|
|
925b0d |
+--EXPECT--
|
|
|
925b0d |
+OK
|
|
|
925b0d |
\ No newline at end of file
|
|
|
925b0d |
--
|
|
|
925b0d |
2.1.4
|
|
|
925b0d |
|