diff options
| author | Stanislav Malyshev <stas@php.net> | 2017-01-02 20:56:32 -0800 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2017-01-02 20:56:32 -0800 |
| commit | fa2125df6766bb7edac0a0bf433940465da9af4b (patch) | |
| tree | 053adf559eee771166e42a2787281d4745dbf855 | |
| parent | a65ad951ad95944e357703caa2001f06a4225bf6 (diff) | |
| parent | 1cda0d7c2ffb62d8331c64e703131d9cabdc03ea (diff) | |
| download | php-git-fa2125df6766bb7edac0a0bf433940465da9af4b.tar.gz | |
Merge branch 'PHP-5.6.30' into PHP-5.6
* PHP-5.6.30:
Fix bug #73737 FPE when parsing a tag format
Fix bug #73773 - Seg fault when loading hostile phar
Fix bug #73825 - Heap out of bounds read on unserialize in finish_nested_data()
Fix bug #73768 - Memory corruption when loading hostile phar
Fix int overflows in phar (bug #73764)
| -rw-r--r-- | ext/exif/exif.c | 2 | ||||
| -rw-r--r-- | ext/exif/tests/bug73737.phpt | 12 | ||||
| -rw-r--r-- | ext/exif/tests/bug73737.tiff | bin | 0 -> 48 bytes | |||
| -rw-r--r-- | ext/phar/phar.c | 7 | ||||
| -rw-r--r-- | ext/phar/tests/bug73764.phar | bin | 0 -> 138 bytes | |||
| -rw-r--r-- | ext/phar/tests/bug73764.phpt | 16 | ||||
| -rw-r--r-- | ext/phar/tests/bug73768.phar | bin | 0 -> 219 bytes | |||
| -rw-r--r-- | ext/phar/tests/bug73768.phpt | 16 | ||||
| -rw-r--r-- | ext/standard/tests/serialize/bug73825.phpt | 12 | ||||
| -rw-r--r-- | ext/standard/var_unserializer.c | 997 | ||||
| -rw-r--r-- | ext/standard/var_unserializer.re | 20 |
11 files changed, 571 insertions, 511 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 8b0e34c10d..83daee6f54 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -1303,7 +1303,7 @@ static size_t exif_convert_any_to_int(void *value, int format, int motorola_inte if (s_den == 0) { return 0; } else { - return php_ifd_get32s(value, motorola_intel) / s_den; + return (size_t)((double)php_ifd_get32s(value, motorola_intel) / s_den); } case TAG_FMT_SSHORT: return php_ifd_get16u(value, motorola_intel); diff --git a/ext/exif/tests/bug73737.phpt b/ext/exif/tests/bug73737.phpt new file mode 100644 index 0000000000..21eaf80585 --- /dev/null +++ b/ext/exif/tests/bug73737.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #73737 (Crash when parsing a tag format) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php + $exif = exif_thumbnail(__DIR__ . '/bug73737.tiff'); + var_dump($exif); +?> +--EXPECTF-- +Warning: exif_thumbnail(bug73737.tiff): Error in TIFF: filesize(x0030) less than start of IFD dir(x10102) in %s line %d +bool(false) diff --git a/ext/exif/tests/bug73737.tiff b/ext/exif/tests/bug73737.tiff Binary files differnew file mode 100644 index 0000000000..2cb036fc47 --- /dev/null +++ b/ext/exif/tests/bug73737.tiff diff --git a/ext/phar/phar.c b/ext/phar/phar.c index 14b80e175e..780be43257 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -981,7 +981,6 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char /* if the alias is stored we enforce it (implicit overrides explicit) */ if (alias && alias_len && (alias_len != (int)tmp_len || strncmp(alias, buffer, tmp_len))) { - buffer[tmp_len] = '\0'; php_stream_close(fp); if (signature) { @@ -989,7 +988,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char } if (error) { - spprintf(error, 0, "cannot load phar \"%s\" with implicit alias \"%s\" under different alias \"%s\"", fname, buffer, alias); + spprintf(error, 0, "cannot load phar \"%s\" with implicit alias \"%.*s\" under different alias \"%s\"", fname, tmp_len, buffer, alias); } efree(savebuf); @@ -1055,7 +1054,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char entry.is_persistent = mydata->is_persistent; for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) { - if (buffer + 4 > endbuffer) { + if (buffer + 28 > endbuffer) { MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)") } @@ -1069,7 +1068,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char entry.manifest_pos = manifest_index; } - if (entry.filename_len + 20 > endbuffer - buffer) { + if (entry.filename_len > endbuffer - buffer - 24) { MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); } diff --git a/ext/phar/tests/bug73764.phar b/ext/phar/tests/bug73764.phar Binary files differnew file mode 100644 index 0000000000..89a5ff6542 --- /dev/null +++ b/ext/phar/tests/bug73764.phar diff --git a/ext/phar/tests/bug73764.phpt b/ext/phar/tests/bug73764.phpt new file mode 100644 index 0000000000..cab314a731 --- /dev/null +++ b/ext/phar/tests/bug73764.phpt @@ -0,0 +1,16 @@ +--TEST-- +Phar: PHP bug #73764: Crash while loading hostile phar archive +--SKIPIF-- +<?php if (!extension_loaded("phar")) die("skip"); ?> +--FILE-- +<?php +chdir(__DIR__); +try { +$p = Phar::LoadPhar('bug73764.phar', 'alias.phar'); +echo "OK\n"; +} catch(PharException $e) { + echo $e->getMessage(); +} +?> +--EXPECTF-- +internal corruption of phar "%sbug73764.phar" (truncated manifest entry)
\ No newline at end of file diff --git a/ext/phar/tests/bug73768.phar b/ext/phar/tests/bug73768.phar Binary files differnew file mode 100644 index 0000000000..3f429c2365 --- /dev/null +++ b/ext/phar/tests/bug73768.phar diff --git a/ext/phar/tests/bug73768.phpt b/ext/phar/tests/bug73768.phpt new file mode 100644 index 0000000000..37a4da0253 --- /dev/null +++ b/ext/phar/tests/bug73768.phpt @@ -0,0 +1,16 @@ +--TEST-- +Phar: PHP bug #73768: Memory corruption when loading hostile phar +--SKIPIF-- +<?php if (!extension_loaded("phar")) die("skip"); ?> +--FILE-- +<?php +chdir(__DIR__); +try { +$p = Phar::LoadPhar('bug73768.phar', 'alias.phar'); +echo "OK\n"; +} catch(PharException $e) { + echo $e->getMessage(); +} +?> +--EXPECTF-- +cannot load phar "%sbug73768.phar" with implicit alias "" under different alias "alias.phar" diff --git a/ext/standard/tests/serialize/bug73825.phpt b/ext/standard/tests/serialize/bug73825.phpt new file mode 100644 index 0000000000..adbfca1bbb --- /dev/null +++ b/ext/standard/tests/serialize/bug73825.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #73825 Heap out of bounds read on unserialize in finish_nested_data() +--FILE-- +<?php +$obj = unserialize('O:8:"00000000":'); +var_dump($obj); +?> +--EXPECTF-- +Warning: Bad unserialize data in %sbug73825.php on line %d + +Notice: unserialize(): Error at offset 13 of 15 bytes in %sbug73825.php on line %d +bool(false) diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index 584e98e275..79d98e5a24 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -1,4 +1,4 @@ -/* Generated by re2c 0.16 */ +/* Generated by re2c 0.13.7.5 */ #line 1 "ext/standard/var_unserializer.re" /* +----------------------------------------------------------------------+ @@ -405,6 +405,11 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce) { long elements; + if( *p >= max - 2) { + zend_error(E_WARNING, "Bad unserialize data"); + return -1; + } + elements = parse_iv2((*p) + 2, p); (*p) += 2; @@ -415,7 +420,7 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce) /* If this class implements Serializable, it should not land here but in object_custom(). The passed string obviously doesn't descend from the regular serializer. */ zend_error(E_WARNING, "Erroneous data format for unserializing '%s'", ce->name); - return 0; + return -1; } return elements; @@ -492,7 +497,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER) -#line 496 "ext/standard/var_unserializer.c" +#line 501 "ext/standard/var_unserializer.c" { YYCTYPE yych; static const unsigned char yybm[] = { @@ -529,507 +534,112 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER) 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, }; + if ((YYLIMIT - YYCURSOR) < 7) YYFILL(7); yych = *YYCURSOR; switch (yych) { case 'C': - case 'O': goto yy4; + case 'O': goto yy13; case 'N': goto yy5; - case 'R': goto yy6; - case 'S': goto yy7; - case 'a': goto yy8; - case 'b': goto yy9; - case 'd': goto yy10; - case 'i': goto yy11; + case 'R': goto yy2; + case 'S': goto yy10; + case 'a': goto yy11; + case 'b': goto yy6; + case 'd': goto yy8; + case 'i': goto yy7; case 'o': goto yy12; - case 'r': goto yy13; - case 's': goto yy14; - case '}': goto yy15; - default: goto yy2; + case 'r': goto yy4; + case 's': goto yy9; + case '}': goto yy14; + default: goto yy16; } yy2: - ++YYCURSOR; + yych = *(YYMARKER = ++YYCURSOR); + if (yych == ':') goto yy95; yy3: -#line 863 "ext/standard/var_unserializer.re" +#line 877 "ext/standard/var_unserializer.re" { return 0; } -#line 556 "ext/standard/var_unserializer.c" +#line 563 "ext/standard/var_unserializer.c" yy4: yych = *(YYMARKER = ++YYCURSOR); - if (yych == ':') goto yy17; + if (yych == ':') goto yy89; goto yy3; yy5: yych = *++YYCURSOR; - if (yych == ';') goto yy19; + if (yych == ';') goto yy87; goto yy3; yy6: yych = *(YYMARKER = ++YYCURSOR); - if (yych == ':') goto yy21; + if (yych == ':') goto yy83; goto yy3; yy7: yych = *(YYMARKER = ++YYCURSOR); - if (yych == ':') goto yy22; + if (yych == ':') goto yy77; goto yy3; yy8: yych = *(YYMARKER = ++YYCURSOR); - if (yych == ':') goto yy23; + if (yych == ':') goto yy53; goto yy3; yy9: yych = *(YYMARKER = ++YYCURSOR); - if (yych == ':') goto yy24; + if (yych == ':') goto yy46; goto yy3; yy10: yych = *(YYMARKER = ++YYCURSOR); - if (yych == ':') goto yy25; + if (yych == ':') goto yy39; goto yy3; yy11: yych = *(YYMARKER = ++YYCURSOR); - if (yych == ':') goto yy26; + if (yych == ':') goto yy32; goto yy3; yy12: yych = *(YYMARKER = ++YYCURSOR); - if (yych == ':') goto yy27; + if (yych == ':') goto yy25; goto yy3; yy13: yych = *(YYMARKER = ++YYCURSOR); - if (yych == ':') goto yy28; + if (yych == ':') goto yy17; goto yy3; yy14: - yych = *(YYMARKER = ++YYCURSOR); - if (yych == ':') goto yy29; - goto yy3; -yy15: ++YYCURSOR; -#line 857 "ext/standard/var_unserializer.re" +#line 871 "ext/standard/var_unserializer.re" { /* this is the case where we have less data than planned */ php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data"); return 0; /* not sure if it should be 0 or 1 here? */ } -#line 609 "ext/standard/var_unserializer.c" +#line 612 "ext/standard/var_unserializer.c" +yy16: + yych = *++YYCURSOR; + goto yy3; yy17: yych = *++YYCURSOR; if (yybm[0+yych] & 128) { - goto yy31; + goto yy20; } - if (yych == '+') goto yy30; + if (yych == '+') goto yy19; yy18: YYCURSOR = YYMARKER; goto yy3; yy19: - ++YYCURSOR; -#line 544 "ext/standard/var_unserializer.re" - { - *p = YYCURSOR; - INIT_PZVAL(*rval); - ZVAL_NULL(*rval); - return 1; -} -#line 628 "ext/standard/var_unserializer.c" -yy21: - yych = *++YYCURSOR; - if (yych <= ',') { - if (yych == '+') goto yy33; - goto yy18; - } else { - if (yych <= '-') goto yy33; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy34; - goto yy18; - } -yy22: - yych = *++YYCURSOR; - if (yych == '+') goto yy36; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy37; - goto yy18; -yy23: - yych = *++YYCURSOR; - if (yych == '+') goto yy39; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy40; - goto yy18; -yy24: - yych = *++YYCURSOR; - if (yych <= '/') goto yy18; - if (yych <= '1') goto yy42; - goto yy18; -yy25: - yych = *++YYCURSOR; - if (yych <= '/') { - if (yych <= ',') { - if (yych == '+') goto yy43; - goto yy18; - } else { - if (yych <= '-') goto yy44; - if (yych <= '.') goto yy45; - goto yy18; - } - } else { - if (yych <= 'I') { - if (yych <= '9') goto yy46; - if (yych <= 'H') goto yy18; - goto yy48; - } else { - if (yych == 'N') goto yy49; - goto yy18; - } - } -yy26: - yych = *++YYCURSOR; - if (yych <= ',') { - if (yych == '+') goto yy50; - goto yy18; - } else { - if (yych <= '-') goto yy50; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy51; - goto yy18; - } -yy27: - yych = *++YYCURSOR; - if (yych <= ',') { - if (yych == '+') goto yy53; - goto yy18; - } else { - if (yych <= '-') goto yy53; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy54; - goto yy18; - } -yy28: - yych = *++YYCURSOR; - if (yych <= ',') { - if (yych == '+') goto yy56; - goto yy18; - } else { - if (yych <= '-') goto yy56; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy57; - goto yy18; - } -yy29: - yych = *++YYCURSOR; - if (yych == '+') goto yy59; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy60; - goto yy18; -yy30: yych = *++YYCURSOR; if (yybm[0+yych] & 128) { - goto yy31; + goto yy20; } goto yy18; -yy31: +yy20: ++YYCURSOR; if ((YYLIMIT - YYCURSOR) < 2) YYFILL(2); yych = *YYCURSOR; if (yybm[0+yych] & 128) { - goto yy31; + goto yy20; } if (yych <= '/') goto yy18; - if (yych <= ':') goto yy62; - goto yy18; -yy33: - yych = *++YYCURSOR; - if (yych <= '/') goto yy18; - if (yych >= ':') goto yy18; -yy34: - ++YYCURSOR; - if (YYLIMIT <= YYCURSOR) YYFILL(1); - yych = *YYCURSOR; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy34; - if (yych == ';') goto yy63; - goto yy18; -yy36: - yych = *++YYCURSOR; - if (yych <= '/') goto yy18; - if (yych >= ':') goto yy18; -yy37: - ++YYCURSOR; - if ((YYLIMIT - YYCURSOR) < 2) YYFILL(2); - yych = *YYCURSOR; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy37; - if (yych <= ':') goto yy65; - goto yy18; -yy39: - yych = *++YYCURSOR; - if (yych <= '/') goto yy18; - if (yych >= ':') goto yy18; -yy40: - ++YYCURSOR; - if ((YYLIMIT - YYCURSOR) < 2) YYFILL(2); - yych = *YYCURSOR; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy40; - if (yych <= ':') goto yy66; - goto yy18; -yy42: - yych = *++YYCURSOR; - if (yych == ';') goto yy67; - goto yy18; -yy43: - yych = *++YYCURSOR; - if (yych == '.') goto yy45; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy46; - goto yy18; -yy44: - yych = *++YYCURSOR; - if (yych <= '/') { - if (yych != '.') goto yy18; - } else { - if (yych <= '9') goto yy46; - if (yych == 'I') goto yy48; - goto yy18; - } -yy45: - yych = *++YYCURSOR; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy69; - goto yy18; -yy46: - ++YYCURSOR; - if ((YYLIMIT - YYCURSOR) < 4) YYFILL(4); - yych = *YYCURSOR; - if (yych <= ':') { - if (yych <= '.') { - if (yych <= '-') goto yy18; - goto yy69; - } else { - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy46; - goto yy18; - } - } else { - if (yych <= 'E') { - if (yych <= ';') goto yy71; - if (yych <= 'D') goto yy18; - goto yy73; - } else { - if (yych == 'e') goto yy73; - goto yy18; - } - } -yy48: - yych = *++YYCURSOR; - if (yych == 'N') goto yy74; - goto yy18; -yy49: - yych = *++YYCURSOR; - if (yych == 'A') goto yy75; - goto yy18; -yy50: - yych = *++YYCURSOR; - if (yych <= '/') goto yy18; - if (yych >= ':') goto yy18; -yy51: - ++YYCURSOR; - if (YYLIMIT <= YYCURSOR) YYFILL(1); - yych = *YYCURSOR; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy51; - if (yych == ';') goto yy76; - goto yy18; -yy53: - yych = *++YYCURSOR; - if (yych <= '/') goto yy18; - if (yych >= ':') goto yy18; -yy54: - ++YYCURSOR; - if ((YYLIMIT - YYCURSOR) < 2) YYFILL(2); - yych = *YYCURSOR; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy54; - if (yych <= ':') goto yy78; - goto yy18; -yy56: - yych = *++YYCURSOR; - if (yych <= '/') goto yy18; - if (yych >= ':') goto yy18; -yy57: - ++YYCURSOR; - if (YYLIMIT <= YYCURSOR) YYFILL(1); - yych = *YYCURSOR; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy57; - if (yych == ';') goto yy79; - goto yy18; -yy59: - yych = *++YYCURSOR; - if (yych <= '/') goto yy18; - if (yych >= ':') goto yy18; -yy60: - ++YYCURSOR; - if ((YYLIMIT - YYCURSOR) < 2) YYFILL(2); - yych = *YYCURSOR; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy60; - if (yych <= ':') goto yy81; - goto yy18; -yy62: - yych = *++YYCURSOR; - if (yych == '"') goto yy82; - goto yy18; -yy63: - ++YYCURSOR; -#line 500 "ext/standard/var_unserializer.re" - { - long id; - - *p = YYCURSOR; - if (!var_hash) return 0; - - id = parse_iv(start + 2) - 1; - if (id == -1 || var_access(var_hash, id, &rval_ref) != SUCCESS) { - return 0; - } - - if (*rval != NULL) { - var_push_dtor_no_addref(var_hash, rval); - } - *rval = *rval_ref; - Z_ADDREF_PP(rval); - Z_SET_ISREF_PP(rval); - - return 1; -} -#line 899 "ext/standard/var_unserializer.c" -yy65: + if (yych >= ';') goto yy18; yych = *++YYCURSOR; - if (yych == '"') goto yy84; - goto yy18; -yy66: - yych = *++YYCURSOR; - if (yych == '{') goto yy86; - goto yy18; -yy67: + if (yych != '"') goto yy18; ++YYCURSOR; -#line 551 "ext/standard/var_unserializer.re" - { - *p = YYCURSOR; - INIT_PZVAL(*rval); - ZVAL_BOOL(*rval, parse_iv(start + 2)); - return 1; -} -#line 917 "ext/standard/var_unserializer.c" -yy69: - ++YYCURSOR; - if ((YYLIMIT - YYCURSOR) < 4) YYFILL(4); - yych = *YYCURSOR; - if (yych <= ';') { - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy69; - if (yych <= ':') goto yy18; - } else { - if (yych <= 'E') { - if (yych <= 'D') goto yy18; - goto yy73; - } else { - if (yych == 'e') goto yy73; - goto yy18; - } - } -yy71: - ++YYCURSOR; -#line 600 "ext/standard/var_unserializer.re" - { -#if SIZEOF_LONG == 4 -use_double: -#endif - *p = YYCURSOR; - INIT_PZVAL(*rval); - ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL)); - return 1; -} -#line 947 "ext/standard/var_unserializer.c" -yy73: - yych = *++YYCURSOR; - if (yych <= ',') { - if (yych == '+') goto yy88; - goto yy18; - } else { - if (yych <= '-') goto yy88; - if (yych <= '/') goto yy18; - if (yych <= '9') goto yy89; - goto yy18; - } -yy74: - yych = *++YYCURSOR; - if (yych == 'F') goto yy91; - goto yy18; -yy75: - yych = *++YYCURSOR; - if (yych == 'N') goto yy91; - goto yy18; -yy76: - ++YYCURSOR; -#line 558 "ext/standard/var_unserializer.re" - { -#if SIZEOF_LONG == 4 - int digits = YYCURSOR - start - 3; - - if (start[2] == '-' || start[2] == '+') { - digits--; - } - - /* Use double for large long values that were serialized on a 64-bit system */ - if (digits >= MAX_LENGTH_OF_LONG - 1) { - if (digits == MAX_LENGTH_OF_LONG - 1) { - int cmp = strncmp(YYCURSOR - MAX_LENGTH_OF_LONG, long_min_digits, MAX_LENGTH_OF_LONG - 1); - - if (!(cmp < 0 || (cmp == 0 && start[2] == '-'))) { - goto use_double; - } - } else { - goto use_double; - } - } -#endif - *p = YYCURSOR; - INIT_PZVAL(*rval); - ZVAL_LONG(*rval, parse_iv(start + 2)); - return 1; -} -#line 996 "ext/standard/var_unserializer.c" -yy78: - yych = *++YYCURSOR; - if (yych == '"') goto yy92; - goto yy18; -yy79: - ++YYCURSOR; -#line 521 "ext/standard/var_unserializer.re" - { - long id; - - *p = YYCURSOR; - if (!var_hash) return 0; - - id = parse_iv(start + 2) - 1; - if (id == -1 || var_access(var_hash, id, &rval_ref) != SUCCESS) { - return 0; - } - - if (*rval == *rval_ref) return 0; - - if (*rval != NULL) { - var_push_dtor_no_addref(var_hash, rval); - } - *rval = *rval_ref; - Z_ADDREF_PP(rval); - Z_UNSET_ISREF_PP(rval); - - return 1; -} -#line 1026 "ext/standard/var_unserializer.c" -yy81: - yych = *++YYCURSOR; - if (yych == '"') goto yy94; - goto yy18; -yy82: - ++YYCURSOR; -#line 708 "ext/standard/var_unserializer.re" +#line 717 "ext/standard/var_unserializer.re" { size_t len, len2, len3, maxlen; long elements; @@ -1171,6 +781,11 @@ yy82: elements = object_common1(UNSERIALIZE_PASSTHRU, ce); + if (elements < 0) { + efree(class_name); + return 0; + } + if (incomplete_class) { php_store_class_name(*rval, class_name, len2); } @@ -1178,10 +793,108 @@ yy82: return object_common2(UNSERIALIZE_PASSTHRU, elements); } -#line 1182 "ext/standard/var_unserializer.c" -yy84: +#line 797 "ext/standard/var_unserializer.c" +yy25: + yych = *++YYCURSOR; + if (yych <= ',') { + if (yych != '+') goto yy18; + } else { + if (yych <= '-') goto yy26; + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy27; + goto yy18; + } +yy26: + yych = *++YYCURSOR; + if (yych <= '/') goto yy18; + if (yych >= ':') goto yy18; +yy27: + ++YYCURSOR; + if ((YYLIMIT - YYCURSOR) < 2) YYFILL(2); + yych = *YYCURSOR; + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy27; + if (yych >= ';') goto yy18; + yych = *++YYCURSOR; + if (yych != '"') goto yy18; ++YYCURSOR; -#line 643 "ext/standard/var_unserializer.re" +#line 704 "ext/standard/var_unserializer.re" + { + long elements; + if (!var_hash) return 0; + + INIT_PZVAL(*rval); + + elements = object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR); + if (elements < 0) { + return 0; + } + return object_common2(UNSERIALIZE_PASSTHRU, elements); +} +#line 835 "ext/standard/var_unserializer.c" +yy32: + yych = *++YYCURSOR; + if (yych == '+') goto yy33; + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy34; + goto yy18; +yy33: + yych = *++YYCURSOR; + if (yych <= '/') goto yy18; + if (yych >= ':') goto yy18; +yy34: + ++YYCURSOR; + if ((YYLIMIT - YYCURSOR) < 2) YYFILL(2); + yych = *YYCURSOR; + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy34; + if (yych >= ';') goto yy18; + yych = *++YYCURSOR; + if (yych != '{') goto yy18; + ++YYCURSOR; +#line 683 "ext/standard/var_unserializer.re" + { + long elements = parse_iv(start + 2); + /* use iv() not uiv() in order to check data range */ + *p = YYCURSOR; + if (!var_hash) return 0; + + if (elements < 0) { + return 0; + } + + INIT_PZVAL(*rval); + + array_init_size(*rval, elements); + + if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_ARRVAL_PP(rval), elements, 0)) { + return 0; + } + + return finish_nested_data(UNSERIALIZE_PASSTHRU); +} +#line 877 "ext/standard/var_unserializer.c" +yy39: + yych = *++YYCURSOR; + if (yych == '+') goto yy40; + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy41; + goto yy18; +yy40: + yych = *++YYCURSOR; + if (yych <= '/') goto yy18; + if (yych >= ':') goto yy18; +yy41: + ++YYCURSOR; + if ((YYLIMIT - YYCURSOR) < 2) YYFILL(2); + yych = *YYCURSOR; + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy41; + if (yych >= ';') goto yy18; + yych = *++YYCURSOR; + if (yych != '"') goto yy18; + ++YYCURSOR; +#line 648 "ext/standard/var_unserializer.re" { size_t len, maxlen; char *str; @@ -1216,68 +929,28 @@ yy84: ZVAL_STRINGL(*rval, str, len, 0); return 1; } -#line 1220 "ext/standard/var_unserializer.c" -yy86: - ++YYCURSOR; -#line 678 "ext/standard/var_unserializer.re" - { - long elements = parse_iv(start + 2); - /* use iv() not uiv() in order to check data range */ - *p = YYCURSOR; - if (!var_hash) return 0; - - if (elements < 0) { - return 0; - } - - INIT_PZVAL(*rval); - - array_init_size(*rval, elements); - - if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_ARRVAL_PP(rval), elements, 0)) { - return 0; - } - - return finish_nested_data(UNSERIALIZE_PASSTHRU); -} -#line 1244 "ext/standard/var_unserializer.c" -yy88: +#line 933 "ext/standard/var_unserializer.c" +yy46: yych = *++YYCURSOR; - if (yych <= ',') { - if (yych == '+') goto yy96; - goto yy18; - } else { - if (yych <= '-') goto yy96; - if (yych <= '/') goto yy18; - if (yych >= ':') goto yy18; - } -yy89: - ++YYCURSOR; - if (YYLIMIT <= YYCURSOR) YYFILL(1); - yych = *YYCURSOR; + if (yych == '+') goto yy47; if (yych <= '/') goto yy18; - if (yych <= '9') goto yy89; - if (yych == ';') goto yy71; + if (yych <= '9') goto yy48; goto yy18; -yy91: +yy47: yych = *++YYCURSOR; - if (yych == ';') goto yy97; - goto yy18; -yy92: + if (yych <= '/') goto yy18; + if (yych >= ':') goto yy18; +yy48: ++YYCURSOR; -#line 699 "ext/standard/var_unserializer.re" - { - if (!var_hash) return 0; - - INIT_PZVAL(*rval); - - return object_common2(UNSERIALIZE_PASSTHRU, - object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR)); -} -#line 1278 "ext/standard/var_unserializer.c" -yy94: + if ((YYLIMIT - YYCURSOR) < 2) YYFILL(2); + yych = *YYCURSOR; + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy48; + if (yych >= ';') goto yy18; + yych = *++YYCURSOR; + if (yych != '"') goto yy18; ++YYCURSOR; -#line 610 "ext/standard/var_unserializer.re" +#line 615 "ext/standard/var_unserializer.re" { size_t len, maxlen; char *str; @@ -1310,15 +983,164 @@ yy94: ZVAL_STRINGL(*rval, str, len, 1); return 1; } -#line 1314 "ext/standard/var_unserializer.c" -yy96: +#line 987 "ext/standard/var_unserializer.c" +yy53: + yych = *++YYCURSOR; + if (yych <= '/') { + if (yych <= ',') { + if (yych == '+') goto yy57; + goto yy18; + } else { + if (yych <= '-') goto yy55; + if (yych <= '.') goto yy60; + goto yy18; + } + } else { + if (yych <= 'I') { + if (yych <= '9') goto yy58; + if (yych <= 'H') goto yy18; + goto yy56; + } else { + if (yych != 'N') goto yy18; + } + } + yych = *++YYCURSOR; + if (yych == 'A') goto yy76; + goto yy18; +yy55: + yych = *++YYCURSOR; + if (yych <= '/') { + if (yych == '.') goto yy60; + goto yy18; + } else { + if (yych <= '9') goto yy58; + if (yych != 'I') goto yy18; + } +yy56: + yych = *++YYCURSOR; + if (yych == 'N') goto yy72; + goto yy18; +yy57: + yych = *++YYCURSOR; + if (yych == '.') goto yy60; + if (yych <= '/') goto yy18; + if (yych >= ':') goto yy18; +yy58: + ++YYCURSOR; + if ((YYLIMIT - YYCURSOR) < 4) YYFILL(4); + yych = *YYCURSOR; + if (yych <= ':') { + if (yych <= '.') { + if (yych <= '-') goto yy18; + goto yy70; + } else { + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy58; + goto yy18; + } + } else { + if (yych <= 'E') { + if (yych <= ';') goto yy63; + if (yych <= 'D') goto yy18; + goto yy65; + } else { + if (yych == 'e') goto yy65; + goto yy18; + } + } +yy60: yych = *++YYCURSOR; if (yych <= '/') goto yy18; - if (yych <= '9') goto yy89; + if (yych >= ':') goto yy18; +yy61: + ++YYCURSOR; + if ((YYLIMIT - YYCURSOR) < 4) YYFILL(4); + yych = *YYCURSOR; + if (yych <= ';') { + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy61; + if (yych <= ':') goto yy18; + } else { + if (yych <= 'E') { + if (yych <= 'D') goto yy18; + goto yy65; + } else { + if (yych == 'e') goto yy65; + goto yy18; + } + } +yy63: + ++YYCURSOR; +#line 605 "ext/standard/var_unserializer.re" + { +#if SIZEOF_LONG == 4 +use_double: +#endif + *p = YYCURSOR; + INIT_PZVAL(*rval); + ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL)); + return 1; +} +#line 1085 "ext/standard/var_unserializer.c" +yy65: + yych = *++YYCURSOR; + if (yych <= ',') { + if (yych != '+') goto yy18; + } else { + if (yych <= '-') goto yy66; + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy67; + goto yy18; + } +yy66: + yych = *++YYCURSOR; + if (yych <= ',') { + if (yych == '+') goto yy69; + goto yy18; + } else { + if (yych <= '-') goto yy69; + if (yych <= '/') goto yy18; + if (yych >= ':') goto yy18; + } +yy67: + ++YYCURSOR; + if (YYLIMIT <= YYCURSOR) YYFILL(1); + yych = *YYCURSOR; + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy67; + if (yych == ';') goto yy63; goto yy18; -yy97: +yy69: + yych = *++YYCURSOR; + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy67; + goto yy18; +yy70: ++YYCURSOR; -#line 585 "ext/standard/var_unserializer.re" + if ((YYLIMIT - YYCURSOR) < 4) YYFILL(4); + yych = *YYCURSOR; + if (yych <= ';') { + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy70; + if (yych <= ':') goto yy18; + goto yy63; + } else { + if (yych <= 'E') { + if (yych <= 'D') goto yy18; + goto yy65; + } else { + if (yych == 'e') goto yy65; + goto yy18; + } + } +yy72: + yych = *++YYCURSOR; + if (yych != 'F') goto yy18; +yy73: + yych = *++YYCURSOR; + if (yych != ';') goto yy18; + ++YYCURSOR; +#line 590 "ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); @@ -1333,9 +1155,178 @@ yy97: return 1; } -#line 1337 "ext/standard/var_unserializer.c" +#line 1159 "ext/standard/var_unserializer.c" +yy76: + yych = *++YYCURSOR; + if (yych == 'N') goto yy73; + goto yy18; +yy77: + yych = *++YYCURSOR; + if (yych <= ',') { + if (yych != '+') goto yy18; + } else { + if (yych <= '-') goto yy78; + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy79; + goto yy18; + } +yy78: + yych = *++YYCURSOR; + if (yych <= '/') goto yy18; + if (yych >= ':') goto yy18; +yy79: + ++YYCURSOR; + if (YYLIMIT <= YYCURSOR) YYFILL(1); + yych = *YYCURSOR; + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy79; + if (yych != ';') goto yy18; + ++YYCURSOR; +#line 563 "ext/standard/var_unserializer.re" + { +#if SIZEOF_LONG == 4 + int digits = YYCURSOR - start - 3; + + if (start[2] == '-' || start[2] == '+') { + digits--; + } + + /* Use double for large long values that were serialized on a 64-bit system */ + if (digits >= MAX_LENGTH_OF_LONG - 1) { + if (digits == MAX_LENGTH_OF_LONG - 1) { + int cmp = strncmp(YYCURSOR - MAX_LENGTH_OF_LONG, long_min_digits, MAX_LENGTH_OF_LONG - 1); + + if (!(cmp < 0 || (cmp == 0 && start[2] == '-'))) { + goto use_double; + } + } else { + goto use_double; + } + } +#endif + *p = YYCURSOR; + INIT_PZVAL(*rval); + ZVAL_LONG(*rval, parse_iv(start + 2)); + return 1; +} +#line 1213 "ext/standard/var_unserializer.c" +yy83: + yych = *++YYCURSOR; + if (yych <= '/') goto yy18; + if (yych >= '2') goto yy18; + yych = *++YYCURSOR; + if (yych != ';') goto yy18; + ++YYCURSOR; +#line 556 "ext/standard/var_unserializer.re" + { + *p = YYCURSOR; + INIT_PZVAL(*rval); + ZVAL_BOOL(*rval, parse_iv(start + 2)); + return 1; +} +#line 1228 "ext/standard/var_unserializer.c" +yy87: + ++YYCURSOR; +#line 549 "ext/standard/var_unserializer.re" + { + *p = YYCURSOR; + INIT_PZVAL(*rval); + ZVAL_NULL(*rval); + return 1; +} +#line 1238 "ext/standard/var_unserializer.c" +yy89: + yych = *++YYCURSOR; + if (yych <= ',') { + if (yych != '+') goto yy18; + } else { + if (yych <= '-') goto yy90; + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy91; + goto yy18; + } +yy90: + yych = *++YYCURSOR; + if (yych <= '/') goto yy18; + if (yych >= ':') goto yy18; +yy91: + ++YYCURSOR; + if (YYLIMIT <= YYCURSOR) YYFILL(1); + yych = *YYCURSOR; + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy91; + if (yych != ';') goto yy18; + ++YYCURSOR; +#line 526 "ext/standard/var_unserializer.re" + { + long id; + + *p = YYCURSOR; + if (!var_hash) return 0; + + id = parse_iv(start + 2) - 1; + if (id == -1 || var_access(var_hash, id, &rval_ref) != SUCCESS) { + return 0; + } + + if (*rval == *rval_ref) return 0; + + if (*rval != NULL) { + var_push_dtor_no_addref(var_hash, rval); + } + *rval = *rval_ref; + Z_ADDREF_PP(rval); + Z_UNSET_ISREF_PP(rval); + + return 1; +} +#line 1284 "ext/standard/var_unserializer.c" +yy95: + yych = *++YYCURSOR; + if (yych <= ',') { + if (yych != '+') goto yy18; + } else { + if (yych <= '-') goto yy96; + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy97; + goto yy18; + } +yy96: + yych = *++YYCURSOR; + if (yych <= '/') goto yy18; + if (yych >= ':') goto yy18; +yy97: + ++YYCURSOR; + if (YYLIMIT <= YYCURSOR) YYFILL(1); + yych = *YYCURSOR; + if (yych <= '/') goto yy18; + if (yych <= '9') goto yy97; + if (yych != ';') goto yy18; + ++YYCURSOR; +#line 505 "ext/standard/var_unserializer.re" + { + long id; + + *p = YYCURSOR; + if (!var_hash) return 0; + + id = parse_iv(start + 2) - 1; + if (id == -1 || var_access(var_hash, id, &rval_ref) != SUCCESS) { + return 0; + } + + if (*rval != NULL) { + var_push_dtor_no_addref(var_hash, rval); + } + *rval = *rval_ref; + Z_ADDREF_PP(rval); + Z_SET_ISREF_PP(rval); + + return 1; +} +#line 1328 "ext/standard/var_unserializer.c" } -#line 865 "ext/standard/var_unserializer.re" +#line 879 "ext/standard/var_unserializer.re" return 0; diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index 9eeba79f3f..7fbab9f2f0 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -409,6 +409,11 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce) { long elements; + if( *p >= max - 2) { + zend_error(E_WARNING, "Bad unserialize data"); + return -1; + } + elements = parse_iv2((*p) + 2, p); (*p) += 2; @@ -419,7 +424,7 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce) /* If this class implements Serializable, it should not land here but in object_custom(). The passed string obviously doesn't descend from the regular serializer. */ zend_error(E_WARNING, "Erroneous data format for unserializing '%s'", ce->name); - return 0; + return -1; } return elements; @@ -697,12 +702,16 @@ use_double: } "o:" iv ":" ["] { + long elements; if (!var_hash) return 0; INIT_PZVAL(*rval); - return object_common2(UNSERIALIZE_PASSTHRU, - object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR)); + elements = object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR); + if (elements < 0) { + return 0; + } + return object_common2(UNSERIALIZE_PASSTHRU, elements); } object ":" uiv ":" ["] { @@ -846,6 +855,11 @@ object ":" uiv ":" ["] { elements = object_common1(UNSERIALIZE_PASSTHRU, ce); + if (elements < 0) { + efree(class_name); + return 0; + } + if (incomplete_class) { php_store_class_name(*rval, class_name, len2); } |