1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
Backported from 5.6.26 by Remi.
From 589cfc7d0ebbc2399b6cbac3351ae26d569e9600 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 11 Sep 2016 20:24:13 -0700
Subject: [PATCH] Fix bug #73029 - Missing type check when unserializing
SplArray
---
ext/spl/spl_array.c | 10 ++++++----
ext/spl/tests/bug73029.phpt | 16 ++++++++++++++++
2 files changed, 22 insertions(+), 4 deletions(-)
create mode 100644 ext/spl/tests/bug73029.phpt
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 42a8e7a..700d609 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -306,7 +306,7 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object,
long index;
HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
- if (!offset) {
+ if (!offset || !ht) {
return &EG(uninitialized_zval_ptr);
}
@@ -1796,7 +1796,9 @@ SPL_METHOD(Array, unserialize)
intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK;
zval_ptr_dtor(&intern->array);
ALLOC_INIT_ZVAL(intern->array);
- if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+ if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)
+ || (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) {
+ zval_ptr_dtor(&intern->array);
goto outexcept;
}
var_push_dtor(&var_hash, &intern->array);
diff --git a/ext/spl/tests/bug73029.phpt b/ext/spl/tests/bug73029.phpt
new file mode 100644
index 0000000..a379f80
--- /dev/null
+++ b/ext/spl/tests/bug73029.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #73029: Missing type check when unserializing SplArray
+--FILE--
+<?php
+try {
+$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}';
+$m = unserialize($a);
+$x = $m[2];
+} catch(UnexpectedValueException $e) {
+ print $e->getMessage() . "\n";
+}
+?>
+DONE
+--EXPECTF--
+Error at offset 10 of 19 bytes
+DONE
From 812f9c8a632f74d475cbc5b82e09190c8d47f740 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 12 Sep 2016 20:12:41 -0700
Subject: [PATCH] Fix test
---
ext/spl/tests/bug70068.phpt | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt
index 92a38df..96b2fa8 100644
--- a/ext/spl/tests/bug70068.phpt
+++ b/ext/spl/tests/bug70068.phpt
@@ -2,8 +2,13 @@
Bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
--FILE--
<?php
+try {
$a = unserialize('a:3:{i:0;C:11:"ArrayObject":20:{x:i:0;r:3;;m:a:0:{};}i:1;d:11;i:2;S:31:"AAAAAAAABBBBCCCC\01\00\00\00\04\00\00\00\00\00\00\00\00\00\00";}');
+} catch(Exception $e) {
+ print $e->getMessage()."\n";
+}
?>
OK
--EXPECT--
+Error at offset 10 of 20 bytes
OK
\ No newline at end of file
|
