summaryrefslogtreecommitdiffstats
path: root/bug73029.patch
diff options
context:
space:
mode:
Diffstat (limited to 'bug73029.patch')
-rw-r--r--bug73029.patch89
1 files changed, 89 insertions, 0 deletions
diff --git a/bug73029.patch b/bug73029.patch
new file mode 100644
index 0000000..9e52054
--- /dev/null
+++ b/bug73029.patch
@@ -0,0 +1,89 @@
+Backported from 5.6.26 by Remi.
+
+
+From 589cfc7d0ebbc2399b6cbac3351ae26d569e9600 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 11 Sep 2016 20:24:13 -0700
+Subject: [PATCH] Fix bug #73029 - Missing type check when unserializing
+ SplArray
+
+---
+ ext/spl/spl_array.c | 10 ++++++----
+ ext/spl/tests/bug73029.phpt | 16 ++++++++++++++++
+ 2 files changed, 22 insertions(+), 4 deletions(-)
+ create mode 100644 ext/spl/tests/bug73029.phpt
+
+diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
+index 42a8e7a..700d609 100644
+--- a/ext/spl/spl_array.c
++++ b/ext/spl/spl_array.c
+@@ -306,7 +306,7 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object,
+ long index;
+ HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
+
+- if (!offset) {
++ if (!offset || !ht) {
+ return &EG(uninitialized_zval_ptr);
+ }
+
+@@ -1796,7 +1796,9 @@ SPL_METHOD(Array, unserialize)
+ intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK;
+ zval_ptr_dtor(&intern->array);
+ ALLOC_INIT_ZVAL(intern->array);
+- if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
++ if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)
++ || (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) {
++ zval_ptr_dtor(&intern->array);
+ goto outexcept;
+ }
+ var_push_dtor(&var_hash, &intern->array);
+diff --git a/ext/spl/tests/bug73029.phpt b/ext/spl/tests/bug73029.phpt
+new file mode 100644
+index 0000000..a379f80
+--- /dev/null
++++ b/ext/spl/tests/bug73029.phpt
+@@ -0,0 +1,16 @@
++--TEST--
++Bug #73029: Missing type check when unserializing SplArray
++--FILE--
++<?php
++try {
++$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}';
++$m = unserialize($a);
++$x = $m[2];
++} catch(UnexpectedValueException $e) {
++ print $e->getMessage() . "\n";
++}
++?>
++DONE
++--EXPECTF--
++Error at offset 10 of 19 bytes
++DONE
+From 812f9c8a632f74d475cbc5b82e09190c8d47f740 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 12 Sep 2016 20:12:41 -0700
+Subject: [PATCH] Fix test
+
+---
+ ext/spl/tests/bug70068.phpt | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt
+index 92a38df..96b2fa8 100644
+--- a/ext/spl/tests/bug70068.phpt
++++ b/ext/spl/tests/bug70068.phpt
+@@ -2,8 +2,13 @@
+ Bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
+ --FILE--
+ <?php
++try {
+ $a = unserialize('a:3:{i:0;C:11:"ArrayObject":20:{x:i:0;r:3;;m:a:0:{};}i:1;d:11;i:2;S:31:"AAAAAAAABBBBCCCC\01\00\00\00\04\00\00\00\00\00\00\00\00\00\00";}');
++} catch(Exception $e) {
++ print $e->getMessage()."\n";
++}
+ ?>
+ OK
+ --EXPECT--
++Error at offset 10 of 20 bytes
+ OK
+\ No newline at end of file