diff options
author | Stanislav Malyshev <stas@php.net> | 2016-09-11 20:24:13 -0700 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2016-09-12 17:42:23 +0200 |
commit | 022e75cba104c52ccfb494ce224c2c4d0ff2dddc (patch) | |
tree | 21994069eb88c81dea4ab7e24483d53e8f886f1e | |
parent | 060ab26cfe2f25bc59eb2de593e11cea84ef70b0 (diff) | |
download | php-git-022e75cba104c52ccfb494ce224c2c4d0ff2dddc.tar.gz |
Fix bug #73029 - Missing type check when unserializing SplArray
(cherry picked from commit 6d16288150be33392a3249e417a0929881feb9a2)
Conflicts:
ext/spl/spl_array.c
-rw-r--r-- | ext/spl/spl_array.c | 5 | ||||
-rw-r--r-- | ext/spl/tests/bug73029.phpt | 16 |
2 files changed, 19 insertions, 2 deletions
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 60cbac5726..21f8403882 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -295,7 +295,7 @@ static zval *spl_array_get_dimension_ptr(int check_inherited, spl_array_object * zend_string *offset_key; HashTable *ht = spl_array_get_hash_table(intern); - if (!offset || Z_ISUNDEF_P(offset)) { + if (!offset || Z_ISUNDEF_P(offset) || !ht) { return &EG(uninitialized_zval); } @@ -1796,7 +1796,8 @@ SPL_METHOD(Array, unserialize) intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK; zval_ptr_dtor(&intern->array); ZVAL_UNDEF(&intern->array); - if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash)) { + if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash) + || (Z_TYPE(intern->array) != IS_ARRAY && Z_TYPE(intern->array) != IS_OBJECT)) { goto outexcept; } var_push_dtor(&var_hash, &intern->array); diff --git a/ext/spl/tests/bug73029.phpt b/ext/spl/tests/bug73029.phpt new file mode 100644 index 0000000000..a379f8005e --- /dev/null +++ b/ext/spl/tests/bug73029.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #73029: Missing type check when unserializing SplArray +--FILE-- +<?php +try { +$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}'; +$m = unserialize($a); +$x = $m[2]; +} catch(UnexpectedValueException $e) { + print $e->getMessage() . "\n"; +} +?> +DONE +--EXPECTF-- +Error at offset 10 of 19 bytes +DONE |