Patch cleanup for 5.6.5 From b7fa67742cd8d2b0ca0c0273b157f6ffee9ad6e2 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 26 Jul 2015 17:25:25 -0700 Subject: [PATCH] Fix bug #70068 (Dangling pointer in the unserialization of ArrayObject items) --- ext/spl/spl_array.c | 90 +++++++++++++++++++++++---------------------- ext/spl/tests/bug70068.phpt | 9 +++++ 2 files changed, 56 insertions(+), 43 deletions(-) create mode 100644 ext/spl/tests/bug70068.phpt diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index ec9ce21..a37eced 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -1770,13 +1770,11 @@ SPL_METHOD(Array, unserialize) ALLOC_INIT_ZVAL(pflags); if (!php_var_unserialize(&pflags, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pflags) != IS_LONG) { - zval_ptr_dtor(&pflags); goto outexcept; } --p; /* for ';' */ flags = Z_LVAL_P(pflags); - zval_ptr_dtor(&pflags); /* flags needs to be verified and we also need to verify whether the next * thing we get is ';'. After that we require an 'm' or somethign else * where 'm' stands for members and anything else should be an array. If @@ -1826,10 +1824,16 @@ SPL_METHOD(Array, unserialize) /* done reading $serialized */ PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + if (pflags) { + zval_ptr_dtor(&pflags); + } return; outexcept: PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + if (pflags) { + zval_ptr_dtor(&pflags); + } zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len); return; diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt new file mode 100644 index 0000000..92a38df --- /dev/null +++ b/ext/spl/tests/bug70068.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #70068 (Dangling pointer in the unserialization of ArrayObject items) +--FILE-- + +OK +--EXPECT-- +OK \ No newline at end of file -- 2.1.4