Skip to content

Instantly share code, notes, and snippets.

@smalyshev smalyshev/70068.diff Secret
Created Jul 27, 2015

Embed
What would you like to do?
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index ec9ce21..a37eced 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1774,13 +1774,11 @@ SPL_METHOD(Array, unserialize)
ALLOC_INIT_ZVAL(pflags);
if (!php_var_unserialize(&pflags, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pflags) != IS_LONG) {
- zval_ptr_dtor(&pflags);
goto outexcept;
}
--p; /* for ';' */
flags = Z_LVAL_P(pflags);
- zval_ptr_dtor(&pflags);
/* flags needs to be verified and we also need to verify whether the next
* thing we get is ';'. After that we require an 'm' or somethign else
* where 'm' stands for members and anything else should be an array. If
@@ -1830,10 +1828,16 @@ SPL_METHOD(Array, unserialize)
/* done reading $serialized */
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+ if (pflags) {
+ zval_ptr_dtor(&pflags);
+ }
return;
outexcept:
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+ if (pflags) {
+ zval_ptr_dtor(&pflags);
+ }
zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len);
return;
diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt
new file mode 100644
index 0000000..92a38df
--- /dev/null
+++ b/ext/spl/tests/bug70068.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
+--FILE--
+<?php
+$a = unserialize('a:3:{i:0;C:11:"ArrayObject":20:{x:i:0;r:3;;m:a:0:{};}i:1;d:11;i:2;S:31:"AAAAAAAABBBBCCCC\01\00\00\00\04\00\00\00\00\00\00\00\00\00\00";}');
+?>
+OK
+--EXPECT--
+OK
\ No newline at end of file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.