diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2017-06-25 21:15:26 +0200 |
---|---|---|
committer | Joe Watkins <krakjoe@php.net> | 2017-07-06 09:48:52 +0100 |
commit | 61ba5f84774938617f78d65c06e5933cff2d8af3 (patch) | |
tree | 6e1058ad4837c042ba1ad0d43baf0739231ad148 | |
parent | 498aa0ec97c46ea6a70c7ceda02bdc8b76fffd0e (diff) | |
download | php-git-61ba5f84774938617f78d65c06e5933cff2d8af3.tar.gz |
Fixed bug #74111
-rw-r--r-- | ext/standard/tests/serialize/bug25378.phpt | 2 | ||||
-rw-r--r-- | ext/standard/var_unserializer.c | 71 | ||||
-rw-r--r-- | ext/standard/var_unserializer.re | 11 |
3 files changed, 41 insertions, 43 deletions
diff --git a/ext/standard/tests/serialize/bug25378.phpt b/ext/standard/tests/serialize/bug25378.phpt index e865b96e99..e95a427006 100644 --- a/ext/standard/tests/serialize/bug25378.phpt +++ b/ext/standard/tests/serialize/bug25378.phpt @@ -42,7 +42,7 @@ bool(false) Notice: unserialize(): Error at offset 17 of 33 bytes in %sbug25378.php on line %d bool(false) -Notice: unserialize(): Error at offset 33 of 32 bytes in %sbug25378.php on line %d +Notice: unserialize(): Error at offset 32 of 32 bytes in %sbug25378.php on line %d bool(false) Notice: unserialize(): Error at offset 2 of 13 bytes in %sbug25378.php on line %d diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index 10657514b4..e24cebdcfa 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -473,13 +473,12 @@ string_key: static inline int finish_nested_data(UNSERIALIZE_PARAMETER) { - if (*((*p)++) == '}') - return 1; + if (*p >= max || **p != '}') { + return 0; + } -#if SOMETHING_NEW_MIGHT_LEAD_TO_CRASH_ENABLE_IF_YOU_ARE_BRAVE - zval_ptr_dtor(rval); -#endif - return 0; + (*p)++; + return 1; } static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) @@ -621,7 +620,7 @@ static int php_var_unserialize_internal(UNSERIALIZE_PARAMETER) start = cursor; -#line 625 "ext/standard/var_unserializer.c" +#line 624 "ext/standard/var_unserializer.c" { YYCTYPE yych; static const unsigned char yybm[] = { @@ -679,9 +678,9 @@ static int php_var_unserialize_internal(UNSERIALIZE_PARAMETER) yy2: ++YYCURSOR; yy3: -#line 1002 "ext/standard/var_unserializer.re" +#line 1001 "ext/standard/var_unserializer.re" { return 0; } -#line 685 "ext/standard/var_unserializer.c" +#line 684 "ext/standard/var_unserializer.c" yy4: yych = *(YYMARKER = ++YYCURSOR); if (yych == ':') goto yy17; @@ -728,13 +727,13 @@ yy14: goto yy3; yy15: ++YYCURSOR; -#line 996 "ext/standard/var_unserializer.re" +#line 995 "ext/standard/var_unserializer.re" { /* this is the case where we have less data than planned */ php_error_docref(NULL, E_NOTICE, "Unexpected end of serialized data"); return 0; /* not sure if it should be 0 or 1 here? */ } -#line 738 "ext/standard/var_unserializer.c" +#line 737 "ext/standard/var_unserializer.c" yy17: yych = *++YYCURSOR; if (yybm[0+yych] & 128) { @@ -746,13 +745,13 @@ yy18: goto yy3; yy19: ++YYCURSOR; -#line 680 "ext/standard/var_unserializer.re" +#line 679 "ext/standard/var_unserializer.re" { *p = YYCURSOR; ZVAL_NULL(rval); return 1; } -#line 756 "ext/standard/var_unserializer.c" +#line 755 "ext/standard/var_unserializer.c" yy21: yych = *++YYCURSOR; if (yych <= ',') { @@ -1002,7 +1001,7 @@ yy62: goto yy18; yy63: ++YYCURSOR; -#line 629 "ext/standard/var_unserializer.re" +#line 628 "ext/standard/var_unserializer.re" { zend_long id; @@ -1028,7 +1027,7 @@ yy63: return 1; } -#line 1032 "ext/standard/var_unserializer.c" +#line 1031 "ext/standard/var_unserializer.c" yy65: yych = *++YYCURSOR; if (yych == '"') goto yy84; @@ -1039,13 +1038,13 @@ yy66: goto yy18; yy67: ++YYCURSOR; -#line 686 "ext/standard/var_unserializer.re" +#line 685 "ext/standard/var_unserializer.re" { *p = YYCURSOR; ZVAL_BOOL(rval, parse_iv(start + 2)); return 1; } -#line 1049 "ext/standard/var_unserializer.c" +#line 1048 "ext/standard/var_unserializer.c" yy69: ++YYCURSOR; if ((YYLIMIT - YYCURSOR) < 4) YYFILL(4); @@ -1065,7 +1064,7 @@ yy69: } yy71: ++YYCURSOR; -#line 734 "ext/standard/var_unserializer.re" +#line 733 "ext/standard/var_unserializer.re" { #if SIZEOF_ZEND_LONG == 4 use_double: @@ -1074,7 +1073,7 @@ use_double: ZVAL_DOUBLE(rval, zend_strtod((const char *)start + 2, NULL)); return 1; } -#line 1078 "ext/standard/var_unserializer.c" +#line 1077 "ext/standard/var_unserializer.c" yy73: yych = *++YYCURSOR; if (yych <= ',') { @@ -1096,7 +1095,7 @@ yy75: goto yy18; yy76: ++YYCURSOR; -#line 692 "ext/standard/var_unserializer.re" +#line 691 "ext/standard/var_unserializer.re" { #if SIZEOF_ZEND_LONG == 4 int digits = YYCURSOR - start - 3; @@ -1122,14 +1121,14 @@ yy76: ZVAL_LONG(rval, parse_iv(start + 2)); return 1; } -#line 1126 "ext/standard/var_unserializer.c" +#line 1125 "ext/standard/var_unserializer.c" yy78: yych = *++YYCURSOR; if (yych == '"') goto yy92; goto yy18; yy79: ++YYCURSOR; -#line 655 "ext/standard/var_unserializer.re" +#line 654 "ext/standard/var_unserializer.re" { zend_long id; @@ -1154,14 +1153,14 @@ yy79: return 1; } -#line 1158 "ext/standard/var_unserializer.c" +#line 1157 "ext/standard/var_unserializer.c" yy81: yych = *++YYCURSOR; if (yych == '"') goto yy94; goto yy18; yy82: ++YYCURSOR; -#line 844 "ext/standard/var_unserializer.re" +#line 843 "ext/standard/var_unserializer.re" { size_t len, len2, len3, maxlen; zend_long elements; @@ -1313,10 +1312,10 @@ yy82: return object_common2(UNSERIALIZE_PASSTHRU, elements); } -#line 1317 "ext/standard/var_unserializer.c" +#line 1316 "ext/standard/var_unserializer.c" yy84: ++YYCURSOR; -#line 775 "ext/standard/var_unserializer.re" +#line 774 "ext/standard/var_unserializer.re" { size_t len, maxlen; zend_string *str; @@ -1350,10 +1349,10 @@ yy84: ZVAL_STR(rval, str); return 1; } -#line 1354 "ext/standard/var_unserializer.c" +#line 1353 "ext/standard/var_unserializer.c" yy86: ++YYCURSOR; -#line 809 "ext/standard/var_unserializer.re" +#line 808 "ext/standard/var_unserializer.re" { zend_long elements = parse_iv(start + 2); /* use iv() not uiv() in order to check data range */ @@ -1377,7 +1376,7 @@ yy86: return finish_nested_data(UNSERIALIZE_PASSTHRU); } -#line 1381 "ext/standard/var_unserializer.c" +#line 1380 "ext/standard/var_unserializer.c" yy88: yych = *++YYCURSOR; if (yych <= ',') { @@ -1402,7 +1401,7 @@ yy91: goto yy18; yy92: ++YYCURSOR; -#line 833 "ext/standard/var_unserializer.re" +#line 832 "ext/standard/var_unserializer.re" { zend_long elements; if (!var_hash) return 0; @@ -1413,10 +1412,10 @@ yy92: } return object_common2(UNSERIALIZE_PASSTHRU, elements); } -#line 1417 "ext/standard/var_unserializer.c" +#line 1416 "ext/standard/var_unserializer.c" yy94: ++YYCURSOR; -#line 743 "ext/standard/var_unserializer.re" +#line 742 "ext/standard/var_unserializer.re" { size_t len, maxlen; char *str; @@ -1448,7 +1447,7 @@ yy94: ZVAL_STRINGL(rval, str, len); return 1; } -#line 1452 "ext/standard/var_unserializer.c" +#line 1451 "ext/standard/var_unserializer.c" yy96: yych = *++YYCURSOR; if (yych <= '/') goto yy18; @@ -1456,7 +1455,7 @@ yy96: goto yy18; yy97: ++YYCURSOR; -#line 718 "ext/standard/var_unserializer.re" +#line 717 "ext/standard/var_unserializer.re" { *p = YYCURSOR; @@ -1472,9 +1471,9 @@ yy97: return 1; } -#line 1476 "ext/standard/var_unserializer.c" +#line 1475 "ext/standard/var_unserializer.c" } -#line 1004 "ext/standard/var_unserializer.re" +#line 1003 "ext/standard/var_unserializer.re" return 0; diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index 19ab3c80c9..dd9fe4915b 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -477,13 +477,12 @@ string_key: static inline int finish_nested_data(UNSERIALIZE_PARAMETER) { - if (*((*p)++) == '}') - return 1; + if (*p >= max || **p != '}') { + return 0; + } -#if SOMETHING_NEW_MIGHT_LEAD_TO_CRASH_ENABLE_IF_YOU_ARE_BRAVE - zval_ptr_dtor(rval); -#endif - return 0; + (*p)++; + return 1; } static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) |