Fixed bug #74111

3 files changed, 41 insertions, 43 deletions

diff --git a/ext/standard/tests/serialize/bug25378.phpt b/ext/standard/tests/serialize/bug25378.phpt
index e865b96e99..e95a427006 100644
--- a/ext/standard/tests/serialize/bug25378.phpt
+++ b/ext/standard/tests/serialize/bug25378.phpt
@@ -42,7 +42,7 @@ bool(false)
 Notice: unserialize(): Error at offset 17 of 33 bytes in %sbug25378.php on line %d
 bool(false)
 
-Notice: unserialize(): Error at offset 33 of 32 bytes in %sbug25378.php on line %d
+Notice: unserialize(): Error at offset 32 of 32 bytes in %sbug25378.php on line %d
 bool(false)
 
 Notice: unserialize(): Error at offset 2 of 13 bytes in %sbug25378.php on line %d
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index 10657514b4..e24cebdcfa 100644
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -473,13 +473,12 @@ string_key:
 
 static inline int finish_nested_data(UNSERIALIZE_PARAMETER)
 {
-	if (*((*p)++) == '}')
-		return 1;
+	if (*p >= max || **p != '}') {
+		return 0;
+	}
 
-#if SOMETHING_NEW_MIGHT_LEAD_TO_CRASH_ENABLE_IF_YOU_ARE_BRAVE
-	zval_ptr_dtor(rval);
-#endif
-	return 0;
+	(*p)++;
+	return 1;
 }
 
 static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
@@ -621,7 +620,7 @@ static int php_var_unserialize_internal(UNSERIALIZE_PARAMETER)
 	start = cursor;
 
 
-#line 625 "ext/standard/var_unserializer.c"
+#line 624 "ext/standard/var_unserializer.c"
 {
 	YYCTYPE yych;
 	static const unsigned char yybm[] = {
@@ -679,9 +678,9 @@ static int php_var_unserialize_internal(UNSERIALIZE_PARAMETER)
 yy2:
 	++YYCURSOR;
 yy3:
-#line 1002 "ext/standard/var_unserializer.re"
+#line 1001 "ext/standard/var_unserializer.re"
 	{ return 0; }
-#line 685 "ext/standard/var_unserializer.c"
+#line 684 "ext/standard/var_unserializer.c"
 yy4:
 	yych = *(YYMARKER = ++YYCURSOR);
 	if (yych == ':') goto yy17;
@@ -728,13 +727,13 @@ yy14:
 	goto yy3;
 yy15:
 	++YYCURSOR;
-#line 996 "ext/standard/var_unserializer.re"
+#line 995 "ext/standard/var_unserializer.re"
 	{
 	/* this is the case where we have less data than planned */
 	php_error_docref(NULL, E_NOTICE, "Unexpected end of serialized data");
 	return 0; /* not sure if it should be 0 or 1 here? */
 }
-#line 738 "ext/standard/var_unserializer.c"
+#line 737 "ext/standard/var_unserializer.c"
 yy17:
 	yych = *++YYCURSOR;
 	if (yybm[0+yych] & 128) {
@@ -746,13 +745,13 @@ yy18:
 	goto yy3;
 yy19:
 	++YYCURSOR;
-#line 680 "ext/standard/var_unserializer.re"
+#line 679 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	ZVAL_NULL(rval);
 	return 1;
 }
-#line 756 "ext/standard/var_unserializer.c"
+#line 755 "ext/standard/var_unserializer.c"
 yy21:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1002,7 +1001,7 @@ yy62:
 	goto yy18;
 yy63:
 	++YYCURSOR;
-#line 629 "ext/standard/var_unserializer.re"
+#line 628 "ext/standard/var_unserializer.re"
 	{
 	zend_long id;
 
@@ -1028,7 +1027,7 @@ yy63:
 
 	return 1;
 }
-#line 1032 "ext/standard/var_unserializer.c"
+#line 1031 "ext/standard/var_unserializer.c"
 yy65:
 	yych = *++YYCURSOR;
 	if (yych == '"') goto yy84;
@@ -1039,13 +1038,13 @@ yy66:
 	goto yy18;
 yy67:
 	++YYCURSOR;
-#line 686 "ext/standard/var_unserializer.re"
+#line 685 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	ZVAL_BOOL(rval, parse_iv(start + 2));
 	return 1;
 }
-#line 1049 "ext/standard/var_unserializer.c"
+#line 1048 "ext/standard/var_unserializer.c"
 yy69:
 	++YYCURSOR;
 	if ((YYLIMIT - YYCURSOR) < 4) YYFILL(4);
@@ -1065,7 +1064,7 @@ yy69:
 	}
 yy71:
 	++YYCURSOR;
-#line 734 "ext/standard/var_unserializer.re"
+#line 733 "ext/standard/var_unserializer.re"
 	{
 #if SIZEOF_ZEND_LONG == 4
 use_double:
@@ -1074,7 +1073,7 @@ use_double:
 	ZVAL_DOUBLE(rval, zend_strtod((const char *)start + 2, NULL));
 	return 1;
 }
-#line 1078 "ext/standard/var_unserializer.c"
+#line 1077 "ext/standard/var_unserializer.c"
 yy73:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1096,7 +1095,7 @@ yy75:
 	goto yy18;
 yy76:
 	++YYCURSOR;
-#line 692 "ext/standard/var_unserializer.re"
+#line 691 "ext/standard/var_unserializer.re"
 	{
 #if SIZEOF_ZEND_LONG == 4
 	int digits = YYCURSOR - start - 3;
@@ -1122,14 +1121,14 @@ yy76:
 	ZVAL_LONG(rval, parse_iv(start + 2));
 	return 1;
 }
-#line 1126 "ext/standard/var_unserializer.c"
+#line 1125 "ext/standard/var_unserializer.c"
 yy78:
 	yych = *++YYCURSOR;
 	if (yych == '"') goto yy92;
 	goto yy18;
 yy79:
 	++YYCURSOR;
-#line 655 "ext/standard/var_unserializer.re"
+#line 654 "ext/standard/var_unserializer.re"
 	{
 	zend_long id;
 
@@ -1154,14 +1153,14 @@ yy79:
 
 	return 1;
 }
-#line 1158 "ext/standard/var_unserializer.c"
+#line 1157 "ext/standard/var_unserializer.c"
 yy81:
 	yych = *++YYCURSOR;
 	if (yych == '"') goto yy94;
 	goto yy18;
 yy82:
 	++YYCURSOR;
-#line 844 "ext/standard/var_unserializer.re"
+#line 843 "ext/standard/var_unserializer.re"
 	{
 	size_t len, len2, len3, maxlen;
 	zend_long elements;
@@ -1313,10 +1312,10 @@ yy82:
 
 	return object_common2(UNSERIALIZE_PASSTHRU, elements);
 }
-#line 1317 "ext/standard/var_unserializer.c"
+#line 1316 "ext/standard/var_unserializer.c"
 yy84:
 	++YYCURSOR;
-#line 775 "ext/standard/var_unserializer.re"
+#line 774 "ext/standard/var_unserializer.re"
 	{
 	size_t len, maxlen;
 	zend_string *str;
@@ -1350,10 +1349,10 @@ yy84:
 	ZVAL_STR(rval, str);
 	return 1;
 }
-#line 1354 "ext/standard/var_unserializer.c"
+#line 1353 "ext/standard/var_unserializer.c"
 yy86:
 	++YYCURSOR;
-#line 809 "ext/standard/var_unserializer.re"
+#line 808 "ext/standard/var_unserializer.re"
 	{
 	zend_long elements = parse_iv(start + 2);
 	/* use iv() not uiv() in order to check data range */
@@ -1377,7 +1376,7 @@ yy86:
 
 	return finish_nested_data(UNSERIALIZE_PASSTHRU);
 }
-#line 1381 "ext/standard/var_unserializer.c"
+#line 1380 "ext/standard/var_unserializer.c"
 yy88:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1402,7 +1401,7 @@ yy91:
 	goto yy18;
 yy92:
 	++YYCURSOR;
-#line 833 "ext/standard/var_unserializer.re"
+#line 832 "ext/standard/var_unserializer.re"
 	{
 	zend_long elements;
     if (!var_hash) return 0;
@@ -1413,10 +1412,10 @@ yy92:
 	}
 	return object_common2(UNSERIALIZE_PASSTHRU, elements);
 }
-#line 1417 "ext/standard/var_unserializer.c"
+#line 1416 "ext/standard/var_unserializer.c"
 yy94:
 	++YYCURSOR;
-#line 743 "ext/standard/var_unserializer.re"
+#line 742 "ext/standard/var_unserializer.re"
 	{
 	size_t len, maxlen;
 	char *str;
@@ -1448,7 +1447,7 @@ yy94:
 	ZVAL_STRINGL(rval, str, len);
 	return 1;
 }
-#line 1452 "ext/standard/var_unserializer.c"
+#line 1451 "ext/standard/var_unserializer.c"
 yy96:
 	yych = *++YYCURSOR;
 	if (yych <= '/') goto yy18;
@@ -1456,7 +1455,7 @@ yy96:
 	goto yy18;
 yy97:
 	++YYCURSOR;
-#line 718 "ext/standard/var_unserializer.re"
+#line 717 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 
@@ -1472,9 +1471,9 @@ yy97:
 
 	return 1;
 }
-#line 1476 "ext/standard/var_unserializer.c"
+#line 1475 "ext/standard/var_unserializer.c"
 }
-#line 1004 "ext/standard/var_unserializer.re"
+#line 1003 "ext/standard/var_unserializer.re"
 
 
 	return 0;
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 19ab3c80c9..dd9fe4915b 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -477,13 +477,12 @@ string_key:
 
 static inline int finish_nested_data(UNSERIALIZE_PARAMETER)
 {
-	if (*((*p)++) == '}')
-		return 1;
+	if (*p >= max || **p != '}') {
+		return 0;
+	}
 
-#if SOMETHING_NEW_MIGHT_LEAD_TO_CRASH_ENABLE_IF_YOU_ARE_BRAVE
-	zval_ptr_dtor(rval);
-#endif
-	return 0;
+	(*p)++;
+	return 1;
 }
 
 static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)