diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-08-04 14:10:57 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2015-08-04 14:10:57 -0700 |
| commit | 69ed3969dd3b00feaa62f611c5095e27ba96274d (patch) | |
| tree | 0eaaac44be832888b856808ec83153f42ccc577c /ext/spl/spl_array.c | |
| parent | 66edc158755a8e960499913f16f6455797bb5803 (diff) | |
| parent | 51f9a00b47159ed13dfe5bd5af7e98986aa1a6fa (diff) | |
| download | php-git-69ed3969dd3b00feaa62f611c5095e27ba96274d.tar.gz | |
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4:
Fix bug #70019 - limit extracted files to given directory
Do not do convert_to_* on unserialize, it messes up references
Fix #69793 - limit what we accept when unserializing exception
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
Fixed bug #70166 - Use After Free Vulnerability in unserialize() with SPLArrayObject
ignore signatures for packages too
Fix bug #70168 - Use After Free Vulnerability in unserialize() with SplObjectStorage
Fixed bug #69892
Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes
Improved fix for Bug #69441
Fix bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
Fix bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref)
Fix bug #70081: check types for SOAP variables
Conflicts:
.gitignore
ext/date/php_date.c
ext/spl/spl_array.c
ext/spl/spl_observer.c
Diffstat (limited to 'ext/spl/spl_array.c')
| -rw-r--r-- | ext/spl/spl_array.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 355cb08ffe..c89cf4994b 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -1762,13 +1762,12 @@ SPL_METHOD(Array, unserialize) ALLOC_INIT_ZVAL(pflags); if (!php_var_unserialize(&pflags, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pflags) != IS_LONG) { - zval_ptr_dtor(&pflags); goto outexcept; } + var_push_dtor(&var_hash, &pflags); --p; /* for ';' */ flags = Z_LVAL_P(pflags); - zval_ptr_dtor(&pflags); /* flags needs to be verified and we also need to verify whether the next * thing we get is ';'. After that we require an 'm' or somethign else * where 'm' stands for members and anything else should be an array. If @@ -1790,6 +1789,7 @@ SPL_METHOD(Array, unserialize) if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) { goto outexcept; } + var_push_dtor(&var_hash, &intern->array); } if (*p != ';') { goto outexcept; @@ -1808,6 +1808,7 @@ SPL_METHOD(Array, unserialize) goto outexcept; } + var_push_dtor(&var_hash, &pmembers); /* copy members */ if (!intern->std.properties) { rebuild_object_properties(&intern->std); @@ -1818,10 +1819,16 @@ SPL_METHOD(Array, unserialize) /* done reading $serialized */ PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + if (pflags) { + zval_ptr_dtor(&pflags); + } return; outexcept: PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + if (pflags) { + zval_ptr_dtor(&pflags); + } zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len); return; |