Merge branch 'PHP-5.6' into PHP-7.0

* PHP-5.6: (24 commits) Update NEWS BLock test with memory leak fix tests Fix TSRM build Fix bug #72850 - integer overflow in uuencode Fixed bug #72849 - integer overflow in urlencode Fix bug #72848 - integer overflow in quoted_printable_encode caused heap corruption Fix bug #72838 - Integer overflow lead to heap corruption in sql_regcase Fix bug #72837 - integer overflow in bzdecompress caused heap corruption Fix bug #72836 - integer overflow in base64_decode caused heap corruption Fix for bug #72807 - do not produce strings with negative length Fix for bug #72790 and bug #72799 Fix bug #72730 - imagegammacorrect allows arbitrary write access Fix bug#72697 - select_colors write out-of-bounds Fixed bug #72627: Memory Leakage In exif_process_IFD_in_TIFF Fix bug #72750: wddx_deserialize null dereference Fix bug #72771: ftps:// opendir wrapper is vulnerable to protocol downgrade attack Improve fix for #72663 Fix bug #70436: Use After Free Vulnerability in unserialize() Fix bug #72749: wddx_deserialize allows illegal memory access ... Conflicts: Zend/zend_API.h ext/bz2/bz2.c ext/curl/interface.c ext/ereg/ereg.c ext/exif/exif.c ext/gd/gd.c ext/gd/tests/imagetruecolortopalette_error3.phpt ext/gd/tests/imagetruecolortopalette_error4.phpt ext/session/session.c ext/snmp/snmp.c ext/standard/base64.c ext/standard/ftp_fopen_wrapper.c ext/standard/quot_print.c ext/standard/url.c ext/standard/uuencode.c ext/standard/var.c ext/standard/var_unserializer.c ext/standard/var_unserializer.re ext/wddx/tests/bug72790.phpt ext/wddx/tests/bug72799.phpt ext/wddx/wddx.c sapi/cli/generate_mime_type_map.php
author: Stanislav Malyshev <stas@php.net> 2016-08-17 00:23:51 -0700
committer: Stanislav Malyshev <stas@php.net> 2016-08-17 00:43:33 -0700
commit: 0d13325b660b5ae64267dffcc9a153c7634fdfe2 (patch)
tree: b0be1d511a7eb0c18575f9368dc0d7d3d1828d3f /ext/session/session.c
parent: 75d7666968573a0abea36b46aae2b0c0ad6eb488 (diff)
parent: 9e00ad2b091f3bbb6e34656c06eb7601fbadb7ce (diff)
download: php-git-0d13325b660b5ae64267dffcc9a153c7634fdfe2.tar.gz
1 files changed, 15 insertions, 6 deletions
diff --git a/ext/session/session.c b/ext/session/session.c
index 380cad5b58..48cd0f1bdf 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -963,11 +963,13 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
 	int namelen;
 	zend_string *name;
 	php_unserialize_data_t var_hash;
+	int skip = 0;
 
 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
 
 	for (p = val; p < endptr; ) {
 		zval *tmp;
+		skip = 0;
 		namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF);
 
 		if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
@@ -984,8 +986,7 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
 		if ((tmp = zend_hash_find(&EG(symbol_table), name))) {
 			if ((Z_TYPE_P(tmp) == IS_ARRAY &&
 				Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars)) {
-				zend_string_release(name);
-				continue;
+				skip = 1;
 			}
 		}
 
@@ -994,7 +995,9 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
 			current = var_tmp_var(&var_hash);
 			if (php_var_unserialize(current, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash)) {
 				ZVAL_PTR(&rv, current);
-				php_set_session_var(name, &rv, &var_hash );
+				if (!skip) {
+					php_set_session_var(name, &rv, &var_hash);
+				}
 			} else {
 				zend_string_release(name);
 				php_session_normalize_vars();
@@ -1056,6 +1059,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
 	zend_string *name;
 	int has_value, retval = SUCCESS;
 	php_unserialize_data_t var_hash;
+	int skip = 0;
 
 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
 
@@ -1064,6 +1068,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
 	while (p < endptr) {
 		zval *tmp;
 		q = p;
+		skip = 0;
 		while (*q != PS_DELIMITER) {
 			if (++q >= endptr) goto break_outer_loop;
 		}
@@ -1081,7 +1086,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
 		if ((tmp = zend_hash_find(&EG(symbol_table), name))) {
 			if ((Z_TYPE_P(tmp) == IS_ARRAY &&
 				Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars)) {
-				goto skip;
+				skip = 1;
 			}
 		}
 
@@ -1090,14 +1095,18 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
 			current = var_tmp_var(&var_hash);
 			if (php_var_unserialize(current, (const unsigned char **)&q, (const unsigned char *)endptr, &var_hash)) {
 				ZVAL_PTR(&rv, current);
-				php_set_session_var(name, &rv, &var_hash);
+				if (!skip) {
+					php_set_session_var(name, &rv, &var_hash);
+				}
 			} else {
 				zend_string_release(name);
 				retval = FAILURE;
 				goto break_outer_loop;
 			}
 		} else {
-			PS_ADD_VARL(name);
+			if(!skip) {
+				PS_ADD_VARL(name);
+			}
 		}
 skip:
 		zend_string_release(name);
author	Stanislav Malyshev <stas@php.net>	2016-08-17 00:23:51 -0700
committer	Stanislav Malyshev <stas@php.net>	2016-08-17 00:43:33 -0700
commit	0d13325b660b5ae64267dffcc9a153c7634fdfe2 (patch)
tree	b0be1d511a7eb0c18575f9368dc0d7d3d1828d3f /ext/session/session.c
parent	75d7666968573a0abea36b46aae2b0c0ad6eb488 (diff)
parent	9e00ad2b091f3bbb6e34656c06eb7601fbadb7ce (diff)
download	php-git-0d13325b660b5ae64267dffcc9a153c7634fdfe2.tar.gz