-
-
Save anonymous/4b193ba0da937e11710e620b83a1aca0 to your computer and use it in GitHub Desktop.
Patch for 73331
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 6045de69c7dedcba3eadf7c4bba424b19c81d00d | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Sun Oct 23 20:07:47 2016 -0700 | |
Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle | |
Proper soltion would be to call serialize/unserialize and deal with the result, | |
but this requires more work that should be done by wddx maintainer (not me). | |
diff --git a/ext/pdo/pdo_stmt.c b/ext/pdo/pdo_stmt.c | |
index f5c295c..9f9ada9 100644 | |
--- a/ext/pdo/pdo_stmt.c | |
+++ b/ext/pdo/pdo_stmt.c | |
@@ -2338,6 +2338,7 @@ void pdo_stmt_init(TSRMLS_D) | |
pdo_row_ce->ce_flags |= ZEND_ACC_FINAL_CLASS; /* when removing this a lot of handlers need to be redone */ | |
pdo_row_ce->create_object = pdo_row_new; | |
pdo_row_ce->serialize = pdo_row_serialize; | |
+ pdo_row_ce->unserialize = zend_class_unserialize_deny; | |
} | |
static void free_statement(pdo_stmt_t *stmt TSRMLS_DC) | |
diff --git a/ext/wddx/tests/bug45901.phpt b/ext/wddx/tests/bug45901.phpt | |
index 4084ccb..e76e47e 100644 | |
--- a/ext/wddx/tests/bug45901.phpt | |
+++ b/ext/wddx/tests/bug45901.phpt | |
@@ -14,5 +14,7 @@ echo wddx_serialize_value($xml, 'Variables') . "\n"; | |
echo "DONE"; | |
?> | |
--EXPECTF-- | |
-<wddxPacket version='1.0'><header><comment>Variables</comment></header><data><struct><var name='php_class_name'><string>SimpleXMLElement</string></var><var name='test'><struct><var name='php_class_name'><string>SimpleXMLElement</string></var></struct></var></struct></data></wddxPacket> | |
+ | |
+Warning: wddx_serialize_value(): Class SimpleXMLElement can not be serialized in %sbug45901.php on line %d | |
+<wddxPacket version='1.0'><header><comment>Variables</comment></header><data></data></wddxPacket> | |
DONE | |
\ No newline at end of file | |
diff --git a/ext/wddx/tests/bug72790.phpt b/ext/wddx/tests/bug72790.phpt | |
index a60524b..3b08e58 100644 | |
--- a/ext/wddx/tests/bug72790.phpt | |
+++ b/ext/wddx/tests/bug72790.phpt | |
@@ -1,5 +1,5 @@ | |
--TEST-- | |
-Bug 72790: wddx_deserialize null dereference with invalid xml | |
+Bug #72790: wddx_deserialize null dereference with invalid xml | |
--SKIPIF-- | |
<?php | |
if (!extension_loaded('wddx')) { | |
diff --git a/ext/wddx/tests/bug73331.phpt b/ext/wddx/tests/bug73331.phpt | |
new file mode 100644 | |
index 0000000..7e4cda1 | |
--- /dev/null | |
+++ b/ext/wddx/tests/bug73331.phpt | |
@@ -0,0 +1,15 @@ | |
+--TEST-- | |
+Bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow) | |
+--SKIPIF-- | |
+<?php if (!extension_loaded("wddx") || !extension_loaded("pdo")) print "skip"; ?> | |
+--FILE-- | |
+<?php | |
+ | |
+$wddx = "<wddxPacket version='1.0'><header/><data><struct><var name='php_class_name'><string>PDORow</string></var></struct></data></wddxPacket>"; | |
+var_dump(wddx_deserialize($wddx)); | |
+?> | |
+--EXPECTF-- | |
+ | |
+Warning: wddx_deserialize(): Class pdorow can not be unserialized in %s73331.php on line %d | |
+NULL | |
+ | |
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c | |
index 0e77826..59cc8dd 100644 | |
--- a/ext/wddx/wddx.c | |
+++ b/ext/wddx/wddx.c | |
@@ -471,21 +471,26 @@ static void php_wddx_serialize_object(wddx_packet *packet, zval *obj) | |
ulong idx; | |
char tmp_buf[WDDX_BUF_LEN]; | |
HashTable *objhash, *sleephash; | |
+ zend_class_entry *ce; | |
+ PHP_CLASS_ATTRIBUTES; | |
TSRMLS_FETCH(); | |
+ PHP_SET_CLASS_ATTRIBUTES(obj); | |
+ ce = Z_OBJCE_P(obj); | |
+ if (!ce || ce->serialize || ce->unserialize) { | |
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Class %s can not be serialized", class_name); | |
+ PHP_CLEANUP_CLASS_ATTRIBUTES(); | |
+ return; | |
+ } | |
+ | |
MAKE_STD_ZVAL(fname); | |
ZVAL_STRING(fname, "__sleep", 1); | |
- | |
/* | |
* We try to call __sleep() method on object. It's supposed to return an | |
* array of property names to be serialized. | |
*/ | |
if (call_user_function_ex(CG(function_table), &obj, fname, &retval, 0, 0, 1, NULL TSRMLS_CC) == SUCCESS) { | |
if (retval && (sleephash = HASH_OF(retval))) { | |
- PHP_CLASS_ATTRIBUTES; | |
- | |
- PHP_SET_CLASS_ATTRIBUTES(obj); | |
- | |
php_wddx_add_chunk_static(packet, WDDX_STRUCT_S); | |
snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR); | |
php_wddx_add_chunk(packet, tmp_buf); | |
@@ -494,8 +499,6 @@ static void php_wddx_serialize_object(wddx_packet *packet, zval *obj) | |
php_wddx_add_chunk_static(packet, WDDX_STRING_E); | |
php_wddx_add_chunk_static(packet, WDDX_VAR_E); | |
- PHP_CLEANUP_CLASS_ATTRIBUTES(); | |
- | |
objhash = HASH_OF(obj); | |
for (zend_hash_internal_pointer_reset(sleephash); | |
@@ -516,10 +519,6 @@ static void php_wddx_serialize_object(wddx_packet *packet, zval *obj) | |
} else { | |
uint key_len; | |
- PHP_CLASS_ATTRIBUTES; | |
- | |
- PHP_SET_CLASS_ATTRIBUTES(obj); | |
- | |
php_wddx_add_chunk_static(packet, WDDX_STRUCT_S); | |
snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR); | |
php_wddx_add_chunk(packet, tmp_buf); | |
@@ -528,8 +527,6 @@ static void php_wddx_serialize_object(wddx_packet *packet, zval *obj) | |
php_wddx_add_chunk_static(packet, WDDX_STRING_E); | |
php_wddx_add_chunk_static(packet, WDDX_VAR_E); | |
- PHP_CLEANUP_CLASS_ATTRIBUTES(); | |
- | |
objhash = HASH_OF(obj); | |
for (zend_hash_internal_pointer_reset(objhash); | |
zend_hash_get_current_data(objhash, (void**)&ent) == SUCCESS; | |
@@ -551,6 +548,8 @@ static void php_wddx_serialize_object(wddx_packet *packet, zval *obj) | |
php_wddx_add_chunk_static(packet, WDDX_STRUCT_E); | |
} | |
+ PHP_CLEANUP_CLASS_ATTRIBUTES(); | |
+ | |
zval_dtor(fname); | |
FREE_ZVAL(fname); | |
@@ -1012,6 +1011,10 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) | |
pce = &PHP_IC_ENTRY; | |
} | |
+ if (pce != &PHP_IC_ENTRY && ((*pce)->serialize || (*pce)->unserialize)) { | |
+ ent2->data = NULL; | |
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Class %s can not be unserialized", Z_STRVAL_P(ent1->data)); | |
+ } else { | |
/* Initialize target object */ | |
MAKE_STD_ZVAL(obj); | |
object_init_ex(obj, *pce); | |
@@ -1031,7 +1034,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) | |
/* Set stack entry to point to the newly created object */ | |
ent2->data = obj; | |
- | |
+ } | |
/* Clean up class name var entry */ | |
zval_ptr_dtor(&ent1->data); | |
} else if (Z_TYPE_P(ent2->data) == IS_OBJECT) { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment