diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c | |
index ec9ce21..a37eced 100644 | |
--- a/ext/spl/spl_array.c | |
+++ b/ext/spl/spl_array.c | |
@@ -1774,13 +1774,11 @@ SPL_METHOD(Array, unserialize) | |
ALLOC_INIT_ZVAL(pflags); | |
if (!php_var_unserialize(&pflags, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pflags) != IS_LONG) { | |
- zval_ptr_dtor(&pflags); | |
goto outexcept; | |
} | |
--p; /* for ';' */ | |
flags = Z_LVAL_P(pflags); | |
- zval_ptr_dtor(&pflags); | |
/* flags needs to be verified and we also need to verify whether the next | |
* thing we get is ';'. After that we require an 'm' or somethign else | |
* where 'm' stands for members and anything else should be an array. If | |
@@ -1830,10 +1828,16 @@ SPL_METHOD(Array, unserialize) | |
/* done reading $serialized */ | |
PHP_VAR_UNSERIALIZE_DESTROY(var_hash); | |
+ if (pflags) { | |
+ zval_ptr_dtor(&pflags); | |
+ } | |
return; | |
outexcept: | |
PHP_VAR_UNSERIALIZE_DESTROY(var_hash); | |
+ if (pflags) { | |
+ zval_ptr_dtor(&pflags); | |
+ } | |
zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len); | |
return; | |
diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt | |
new file mode 100644 | |
index 0000000..92a38df | |
--- /dev/null | |
+++ b/ext/spl/tests/bug70068.phpt | |
@@ -0,0 +1,9 @@ | |
+--TEST-- | |
+Bug #70068 (Dangling pointer in the unserialization of ArrayObject items) | |
+--FILE-- | |
+<?php | |
+$a = unserialize('a:3:{i:0;C:11:"ArrayObject":20:{x:i:0;r:3;;m:a:0:{};}i:1;d:11;i:2;S:31:"AAAAAAAABBBBCCCC\01\00\00\00\04\00\00\00\00\00\00\00\00\00\00";}'); | |
+?> | |
+OK | |
+--EXPECT-- | |
+OK | |
\ No newline at end of file |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment