diff options
author | Stanislav Malyshev <stas@php.net> | 2014-09-28 14:19:31 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2014-10-14 10:43:13 -0700 |
commit | 9aa90145239bae82d2af0a99fdae4ab27eb5f4f2 (patch) | |
tree | b0e6b39dad98b621737d7929b1cd6a7391447989 /ext/standard/var_unserializer.re | |
parent | 44035de79f5b9646064d9bdd0329a946b0c5372a (diff) | |
download | php-git-9aa90145239bae82d2af0a99fdae4ab27eb5f4f2.tar.gz |
Fixed bug #68044: Integer overflow in unserialize() (32-bits only)
Diffstat (limited to 'ext/standard/var_unserializer.re')
-rw-r--r-- | ext/standard/var_unserializer.re | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index 130750805f..6de158392e 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -376,7 +376,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) (*p) += 2; - if (datalen < 0 || (*p) + datalen >= max) { + if (datalen < 0 || (max - (*p)) <= datalen) { zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); return 0; } |