1 |
vip-ire |
1.1 |
From a374dfab567ff7f0ab0dc150f14cc891b0340b47 Mon Sep 17 00:00:00 2001 |
2 |
|
|
From: Stanislav Malyshev <stas@php.net> |
3 |
|
|
Date: Sat, 21 Jun 2014 19:46:16 -0700 |
4 |
|
|
Subject: [PATCH] Fix bug #67492: unserialize() SPL ArrayObject / |
5 |
|
|
SPLObjectStorage Type Confusion |
6 |
|
|
|
7 |
|
|
--- |
8 |
|
|
ext/spl/spl_array.c | 2 +- |
9 |
|
|
ext/spl/spl_observer.c | 2 +- |
10 |
|
|
ext/spl/tests/SplObjectStorage_unserialize_bad.phpt | 5 ++++- |
11 |
|
|
3 files changed, 6 insertions(+), 3 deletions(-) |
12 |
|
|
|
13 |
|
|
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c |
14 |
|
|
index c4b237b..c38065f 100644 |
15 |
|
|
--- a/ext/spl/spl_array.c |
16 |
|
|
+++ b/ext/spl/spl_array.c |
17 |
|
|
@@ -1714,7 +1714,7 @@ SPL_METHOD(Array, unserialize) |
18 |
|
|
++p; |
19 |
|
|
|
20 |
|
|
ALLOC_INIT_ZVAL(pmembers); |
21 |
|
|
- if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC)) { |
22 |
|
|
+ if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) { |
23 |
|
|
zval_ptr_dtor(&pmembers); |
24 |
|
|
goto outexcept; |
25 |
|
|
} |
26 |
|
|
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c |
27 |
|
|
index 57ddf49..f493154 100644 |
28 |
|
|
--- a/ext/spl/spl_observer.c |
29 |
|
|
+++ b/ext/spl/spl_observer.c |
30 |
|
|
@@ -686,7 +686,7 @@ SPL_METHOD(SplObjectStorage, unserialize) |
31 |
|
|
++p; |
32 |
|
|
|
33 |
|
|
ALLOC_INIT_ZVAL(pmembers); |
34 |
|
|
- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) { |
35 |
|
|
+ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) { |
36 |
|
|
zval_ptr_dtor(&pmembers); |
37 |
|
|
goto outexcept; |
38 |
|
|
} |
39 |
|
|
diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt |
40 |
|
|
index a525317..8f0676d 100644 |
41 |
|
|
--- a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt |
42 |
|
|
+++ b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt |
43 |
|
|
@@ -7,6 +7,7 @@ |
44 |
|
|
'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}', |
45 |
|
|
'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', |
46 |
|
|
'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', |
47 |
|
|
+'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"', |
48 |
|
|
); |
49 |
|
|
foreach($badblobs as $blob) { |
50 |
|
|
try { |
51 |
|
|
@@ -17,6 +18,7 @@ |
52 |
|
|
echo $e->getMessage()."\n"; |
53 |
|
|
} |
54 |
|
|
} |
55 |
|
|
+echo "DONE\n"; |
56 |
|
|
--EXPECTF-- |
57 |
|
|
Error at offset 6 of 34 bytes |
58 |
|
|
Error at offset 46 of 89 bytes |
59 |
|
|
@@ -42,4 +44,5 @@ |
60 |
|
|
} |
61 |
|
|
} |
62 |
|
|
} |
63 |
|
|
- |
64 |
|
|
+Error at offset 79 of 78 bytes |
65 |
|
|
+DONE |
66 |
|
|
|
67 |
|
|
-- |
68 |
|
|
1.9.2 |
69 |
|
|
|