|
1 # Source: upstream |
|
2 # http://git.php.net/?p=php-src.git;a=commit;h=b7fa67742cd8d2b0ca0c0273b157f6ffee9ad6e2 |
|
3 # https://bugs.php.net/bug.php?id=70068 |
|
4 # Patch cleaned up |
|
5 |
|
6 From b7fa67742cd8d2b0ca0c0273b157f6ffee9ad6e2 Mon Sep 17 00:00:00 2001 |
|
7 From: Stanislav Malyshev <[email protected]> |
|
8 Date: Sun, 26 Jul 2015 17:25:25 -0700 |
|
9 Subject: [PATCH] Fix bug #70068 (Dangling pointer in the unserialization of |
|
10 ArrayObject items) |
|
11 |
|
12 --- |
|
13 ext/spl/spl_array.c | 90 +++++++++++++++++++++++---------------------- |
|
14 ext/spl/tests/bug70068.phpt | 9 +++++ |
|
15 2 files changed, 56 insertions(+), 43 deletions(-) |
|
16 create mode 100644 ext/spl/tests/bug70068.phpt |
|
17 |
|
18 diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c |
|
19 index ec9ce21..a37eced 100644 |
|
20 @@ -1774,13 +1774,11 @@ SPL_METHOD(Array, unserialize) |
|
21 |
|
22 ALLOC_INIT_ZVAL(pflags); |
|
23 if (!php_var_unserialize(&pflags, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pflags) != IS_LONG) { |
|
24 - zval_ptr_dtor(&pflags); |
|
25 goto outexcept; |
|
26 } |
|
27 |
|
28 --p; /* for ';' */ |
|
29 flags = Z_LVAL_P(pflags); |
|
30 - zval_ptr_dtor(&pflags); |
|
31 /* flags needs to be verified and we also need to verify whether the next |
|
32 * thing we get is ';'. After that we require an 'm' or somethign else |
|
33 * where 'm' stands for members and anything else should be an array. If |
|
34 @@ -1830,10 +1828,16 @@ SPL_METHOD(Array, unserialize) |
|
35 /* done reading $serialized */ |
|
36 |
|
37 PHP_VAR_UNSERIALIZE_DESTROY(var_hash); |
|
38 + if (pflags) { |
|
39 + zval_ptr_dtor(&pflags); |
|
40 + } |
|
41 return; |
|
42 |
|
43 outexcept: |
|
44 PHP_VAR_UNSERIALIZE_DESTROY(var_hash); |
|
45 + if (pflags) { |
|
46 + zval_ptr_dtor(&pflags); |
|
47 + } |
|
48 zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len); |
|
49 return; |
|
50 |
|
51 diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt |
|
52 new file mode 100644 |
|
53 index 0000000..92a38df |
|
54 --- /dev/null |
|
55 +++ b/ext/spl/tests/bug70068.phpt |
|
56 @@ -0,0 +1,9 @@ |
|
57 +--TEST-- |
|
58 +Bug #70068 (Dangling pointer in the unserialization of ArrayObject items) |
|
59 +--FILE-- |
|
60 +<?php |
|
61 +$a = unserialize('a:3:{i:0;C:11:"ArrayObject":20:{x:i:0;r:3;;m:a:0:{};}i:1;d:11;i:2;S:31:"AAAAAAAABBBBCCCC\01\00\00\00\04\00\00\00\00\00\00\00\00\00\00";}'); |
|
62 +?> |
|
63 +OK |
|
64 +--EXPECT-- |
|
65 +OK |
|
66 \ No newline at end of file |
|
67 -- |
|
68 2.1.4 |
|
69 |
|
70 |