-
-
Save anonymous/b243ac0ce783c0d286d2619e3d6651d6 to your computer and use it in GitHub Desktop.
Patch for 73029
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 6d16288150be33392a3249e417a0929881feb9a2 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Sun Sep 11 20:24:13 2016 -0700 | |
Fix bug #73029 - Missing type check when unserializing SplArray | |
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c | |
index 42a8e7a..700d609 100644 | |
--- a/ext/spl/spl_array.c | |
+++ b/ext/spl/spl_array.c | |
@@ -308,7 +308,7 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object, | |
long index; | |
HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); | |
- if (!offset) { | |
+ if (!offset || !ht) { | |
return &EG(uninitialized_zval_ptr); | |
} | |
@@ -1810,7 +1810,9 @@ SPL_METHOD(Array, unserialize) | |
intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK; | |
zval_ptr_dtor(&intern->array); | |
ALLOC_INIT_ZVAL(intern->array); | |
- if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) { | |
+ if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC) | |
+ || (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) { | |
+ zval_ptr_dtor(&intern->array); | |
goto outexcept; | |
} | |
var_push_dtor(&var_hash, &intern->array); | |
diff --git a/ext/spl/tests/bug73029.phpt b/ext/spl/tests/bug73029.phpt | |
new file mode 100644 | |
index 0000000..a379f80 | |
--- /dev/null | |
+++ b/ext/spl/tests/bug73029.phpt | |
@@ -0,0 +1,16 @@ | |
+--TEST-- | |
+Bug #73029: Missing type check when unserializing SplArray | |
+--FILE-- | |
+<?php | |
+try { | |
+$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}'; | |
+$m = unserialize($a); | |
+$x = $m[2]; | |
+} catch(UnexpectedValueException $e) { | |
+ print $e->getMessage() . "\n"; | |
+} | |
+?> | |
+DONE | |
+--EXPECTF-- | |
+Error at offset 10 of 19 bytes | |
+DONE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment