Fixed bug #68044: Integer overflow in unserialize() (32-bits only)

author: Stanislav Malyshev <stas@php.net> 2014-09-28 14:19:31 -0700
committer: Stanislav Malyshev <stas@php.net> 2014-10-14 10:43:13 -0700
commit: 9aa90145239bae82d2af0a99fdae4ab27eb5f4f2 (patch)
tree: b0e6b39dad98b621737d7929b1cd6a7391447989 /ext/standard/var_unserializer.re
parent: 44035de79f5b9646064d9bdd0329a946b0c5372a (diff)
download: php-git-9aa90145239bae82d2af0a99fdae4ab27eb5f4f2.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 130750805f..6de158392e 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -376,7 +376,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
 
 	(*p) += 2;
 
-	if (datalen < 0 || (*p) + datalen >= max) {
+	if (datalen < 0 || (max - (*p)) <= datalen) {
 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
 		return 0;
 	}
author	Stanislav Malyshev <stas@php.net>	2014-09-28 14:19:31 -0700
committer	Stanislav Malyshev <stas@php.net>	2014-10-14 10:43:13 -0700
commit	9aa90145239bae82d2af0a99fdae4ab27eb5f4f2 (patch)
tree	b0e6b39dad98b621737d7929b1cd6a7391447989 /ext/standard/var_unserializer.re
parent	44035de79f5b9646064d9bdd0329a946b0c5372a (diff)
download	php-git-9aa90145239bae82d2af0a99fdae4ab27eb5f4f2.tar.gz