Add max_depth option to unserialize()

Add a max_depth option to unserialize and an unserialize_max_depth
ini setting, which can be used to control the depth limit. The
default value is 4096.

This option is intended to prevent stack overflows during the
unserialization of deeply nested structures.

This fixes bug #78549 and addresses oss-fuzz #17581, #17589, #17664,
and #17788.

1 files changed, 5 insertions, 0 deletions

diff --git a/ext/standard/php_var.h b/ext/standard/php_var.h
index e8bd9406b8..1342ae2565 100644
--- a/ext/standard/php_var.h
+++ b/ext/standard/php_var.h
@@ -22,6 +22,7 @@
 #include "ext/standard/basic_functions.h"
 #include "zend_smart_str_public.h"
 
+PHP_MINIT_FUNCTION(var);
 PHP_FUNCTION(var_dump);
 PHP_FUNCTION(var_export);
 PHP_FUNCTION(debug_zval_dump);
@@ -50,6 +51,10 @@ PHPAPI php_unserialize_data_t php_var_unserialize_init(void);
 PHPAPI void php_var_unserialize_destroy(php_unserialize_data_t d);
 PHPAPI HashTable *php_var_unserialize_get_allowed_classes(php_unserialize_data_t d);
 PHPAPI void php_var_unserialize_set_allowed_classes(php_unserialize_data_t d, HashTable *classes);
+PHPAPI void php_var_unserialize_set_max_depth(php_unserialize_data_t d, zend_long max_depth);
+PHPAPI zend_long php_var_unserialize_get_max_depth(php_unserialize_data_t d);
+PHPAPI void php_var_unserialize_set_cur_depth(php_unserialize_data_t d, zend_long cur_depth);
+PHPAPI zend_long php_var_unserialize_get_cur_depth(php_unserialize_data_t d);
 
 #define PHP_VAR_SERIALIZE_INIT(d) \
 	(d) = php_var_serialize_init()