diff options
| author | Xinchen Hui <laruence@php.net> | 2014-07-02 17:57:42 +0800 |
|---|---|---|
| committer | Xinchen Hui <laruence@php.net> | 2014-07-02 17:57:42 +0800 |
| commit | 22882a9d89712ff2b6ebc20a689a89452bba4dcd (patch) | |
| tree | 8afff9e9cc94dff240878882a29b85b14ebc9f9c /ext/spl/spl_array.c | |
| parent | df78c48354f376cf419d7a97f88ca07d572f00fb (diff) | |
| download | php-git-22882a9d89712ff2b6ebc20a689a89452bba4dcd.tar.gz | |
Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting)
Diffstat (limited to 'ext/spl/spl_array.c')
| -rw-r--r-- | ext/spl/spl_array.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 8392e72714..0fe47b651c 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -1733,6 +1733,7 @@ SPL_METHOD(Array, unserialize) const unsigned char *p, *s; php_unserialize_data_t var_hash; zval *pmembers, *pflags = NULL; + HashTable *aht; long flags; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) { @@ -1744,6 +1745,12 @@ SPL_METHOD(Array, unserialize) return; } + aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); + if (aht->nApplyCount > 0) { + zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited"); + return; + } + /* storage */ s = p = (const unsigned char*)buf; PHP_VAR_UNSERIALIZE_INIT(var_hash); |