diff options
Diffstat (limited to 'bug73029.patch')
-rw-r--r-- | bug73029.patch | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/bug73029.patch b/bug73029.patch new file mode 100644 index 0000000..9e52054 --- /dev/null +++ b/bug73029.patch @@ -0,0 +1,89 @@ +Backported from 5.6.26 by Remi. + + +From 589cfc7d0ebbc2399b6cbac3351ae26d569e9600 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 11 Sep 2016 20:24:13 -0700 +Subject: [PATCH] Fix bug #73029 - Missing type check when unserializing + SplArray + +--- + ext/spl/spl_array.c | 10 ++++++---- + ext/spl/tests/bug73029.phpt | 16 ++++++++++++++++ + 2 files changed, 22 insertions(+), 4 deletions(-) + create mode 100644 ext/spl/tests/bug73029.phpt + +diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c +index 42a8e7a..700d609 100644 +--- a/ext/spl/spl_array.c ++++ b/ext/spl/spl_array.c +@@ -306,7 +306,7 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object, + long index; + HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); + +- if (!offset) { ++ if (!offset || !ht) { + return &EG(uninitialized_zval_ptr); + } + +@@ -1796,7 +1796,9 @@ SPL_METHOD(Array, unserialize) + intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK; + zval_ptr_dtor(&intern->array); + ALLOC_INIT_ZVAL(intern->array); +- if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) { ++ if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC) ++ || (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) { ++ zval_ptr_dtor(&intern->array); + goto outexcept; + } + var_push_dtor(&var_hash, &intern->array); +diff --git a/ext/spl/tests/bug73029.phpt b/ext/spl/tests/bug73029.phpt +new file mode 100644 +index 0000000..a379f80 +--- /dev/null ++++ b/ext/spl/tests/bug73029.phpt +@@ -0,0 +1,16 @@ ++--TEST-- ++Bug #73029: Missing type check when unserializing SplArray ++--FILE-- ++<?php ++try { ++$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}'; ++$m = unserialize($a); ++$x = $m[2]; ++} catch(UnexpectedValueException $e) { ++ print $e->getMessage() . "\n"; ++} ++?> ++DONE ++--EXPECTF-- ++Error at offset 10 of 19 bytes ++DONE +From 812f9c8a632f74d475cbc5b82e09190c8d47f740 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 12 Sep 2016 20:12:41 -0700 +Subject: [PATCH] Fix test + +--- + ext/spl/tests/bug70068.phpt | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt +index 92a38df..96b2fa8 100644 +--- a/ext/spl/tests/bug70068.phpt ++++ b/ext/spl/tests/bug70068.phpt +@@ -2,8 +2,13 @@ + Bug #70068 (Dangling pointer in the unserialization of ArrayObject items) + --FILE-- + <?php ++try { + $a = unserialize('a:3:{i:0;C:11:"ArrayObject":20:{x:i:0;r:3;;m:a:0:{};}i:1;d:11;i:2;S:31:"AAAAAAAABBBBCCCC\01\00\00\00\04\00\00\00\00\00\00\00\00\00\00";}'); ++} catch(Exception $e) { ++ print $e->getMessage()."\n"; ++} + ?> + OK + --EXPECT-- ++Error at offset 10 of 20 bytes + OK +\ No newline at end of file |