From c2acdbdd3deb6787329bf0aca8ab0c04ace2a50c Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Fri, 18 Apr 2014 15:13:32 +0200
Subject: [PATCH] Improved the fix for bug #67072, thanks Nikita

---
 ext/standard/tests/serialize/005.phpt      |  9 +--
 ext/standard/tests/serialize/bug67072.phpt |  9 ++-
 ext/standard/var_unserializer.c            | 69 +++++++++++-----------
 ext/standard/var_unserializer.re           |  7 ++-
 4 files changed, 50 insertions(+), 44 deletions(-)

diff --git a/ext/standard/tests/serialize/005.phpt b/ext/standard/tests/serialize/005.phpt
index 87a3fb3ab71..2df270154dc 100644
--- a/ext/standard/tests/serialize/005.phpt
+++ b/ext/standard/tests/serialize/005.phpt
@@ -156,10 +156,11 @@ object(TestNAOld)#%d (0) {
 }
 ===NANew===
 unserializer(TestNANew)
-TestNew::unserialize()
-TestNew::__wakeup()
-object(TestNANew)#%d (0) {
-}
+
+Warning: Erroneous data format for unserializing 'TestNANew' in %s005.php on line %d
+
+Notice: unserialize(): Error at offset 19 of 20 bytes in %s005.php on line %d
+bool(false)
 ===NANew2===
 unserializer(TestNANew2)
 TestNew::unserialize()
diff --git a/ext/standard/tests/serialize/bug67072.phpt b/ext/standard/tests/serialize/bug67072.phpt
index 3e7d33ba8a8..951db75a071 100644
--- a/ext/standard/tests/serialize/bug67072.phpt
+++ b/ext/standard/tests/serialize/bug67072.phpt
@@ -6,8 +6,7 @@ Bug #67072 Echoing unserialized "SplFileObject" crash
 ?>
 ===DONE==
 --EXPECTF--
-Fatal error: Uncaught exception 'Exception' with message 'Unserialization of 'SplFileObject' is not allowed' in %sbug67072.php:2
-Stack trace:
-#0 %sbug67072.php(2): unserialize('O:13:"SplFileOb...')
-#1 {main}
-  thrown in %sbug67072.php on line 2
+Warning: Erroneous data format for unserializing 'SplFileObject' in %sbug67072.php on line %d
+
+Notice: unserialize(): Error at offset 24 of 64 bytes in %sbug67072.php on line %d
+===DONE==
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index 8db00c239f0..003bac95473 100644
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -1,4 +1,4 @@
-/* Generated by re2c 0.13.5 on Thu Apr 17 10:03:26 2014 */
+/* Generated by re2c 0.13.5 on Fri Apr 18 15:07:27 2014 */
 #line 1 "ext/standard/var_unserializer.re"
 /*
   +----------------------------------------------------------------------+
@@ -396,9 +396,12 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
 
 	(*p) += 2;
 	
-	if (ce->unserialize == NULL) {
+	if (ce->serialize == NULL) {
 		object_init_ex(*rval, ce);
-	} else if (ce->unserialize(rval, ce, (const unsigned char*)*p, elements, (zend_unserialize_data *)var_hash TSRMLS_CC) != SUCCESS) {
+	} else {
+		/* If this class implements Serializable, it should not land here but in object_custom(). The passed string
+		obviously doesn't descend from the regular serializer. */
+		zend_error(E_WARNING, "Erroneous data format for unserializing '%s'", ce->name);
 		return 0;
 	}
 
@@ -466,7 +469,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	
 	
 
-#line 470 "ext/standard/var_unserializer.c"
+#line 473 "ext/standard/var_unserializer.c"
 {
 	YYCTYPE yych;
 	static const unsigned char yybm[] = {
@@ -526,9 +529,9 @@ yy2:
 	yych = *(YYMARKER = ++YYCURSOR);
 	if (yych == ':') goto yy95;
 yy3:
-#line 821 "ext/standard/var_unserializer.re"
+#line 824 "ext/standard/var_unserializer.re"
 	{ return 0; }
-#line 532 "ext/standard/var_unserializer.c"
+#line 535 "ext/standard/var_unserializer.c"
 yy4:
 	yych = *(YYMARKER = ++YYCURSOR);
 	if (yych == ':') goto yy89;
@@ -571,13 +574,13 @@ yy13:
 	goto yy3;
 yy14:
 	++YYCURSOR;
-#line 815 "ext/standard/var_unserializer.re"
+#line 818 "ext/standard/var_unserializer.re"
 	{
 	/* this is the case where we have less data than planned */
 	php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
 	return 0; /* not sure if it should be 0 or 1 here? */
 }
-#line 581 "ext/standard/var_unserializer.c"
+#line 584 "ext/standard/var_unserializer.c"
 yy16:
 	yych = *++YYCURSOR;
 	goto yy3;
@@ -607,7 +610,7 @@ yy20:
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 669 "ext/standard/var_unserializer.re"
+#line 672 "ext/standard/var_unserializer.re"
 	{
 	size_t len, len2, len3, maxlen;
 	long elements;
@@ -753,7 +756,7 @@ yy20:
 
 	return object_common2(UNSERIALIZE_PASSTHRU, elements);
 }
-#line 757 "ext/standard/var_unserializer.c"
+#line 760 "ext/standard/var_unserializer.c"
 yy25:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -778,7 +781,7 @@ yy27:
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 661 "ext/standard/var_unserializer.re"
+#line 664 "ext/standard/var_unserializer.re"
 	{
 
 	INIT_PZVAL(*rval);
@@ -786,7 +789,7 @@ yy27:
 	return object_common2(UNSERIALIZE_PASSTHRU,
 			object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
 }
-#line 790 "ext/standard/var_unserializer.c"
+#line 793 "ext/standard/var_unserializer.c"
 yy32:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy33;
@@ -807,7 +810,7 @@ yy34:
 	yych = *++YYCURSOR;
 	if (yych != '{') goto yy18;
 	++YYCURSOR;
-#line 641 "ext/standard/var_unserializer.re"
+#line 644 "ext/standard/var_unserializer.re"
 	{
 	long elements = parse_iv(start + 2);
 	/* use iv() not uiv() in order to check data range */
@@ -827,7 +830,7 @@ yy34:
 
 	return finish_nested_data(UNSERIALIZE_PASSTHRU);
 }
-#line 831 "ext/standard/var_unserializer.c"
+#line 834 "ext/standard/var_unserializer.c"
 yy39:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy40;
@@ -848,7 +851,7 @@ yy41:
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 612 "ext/standard/var_unserializer.re"
+#line 615 "ext/standard/var_unserializer.re"
 	{
 	size_t len, maxlen;
 	char *str;
@@ -877,7 +880,7 @@ yy41:
 	ZVAL_STRINGL(*rval, str, len, 0);
 	return 1;
 }
-#line 881 "ext/standard/var_unserializer.c"
+#line 884 "ext/standard/var_unserializer.c"
 yy46:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy47;
@@ -898,7 +901,7 @@ yy48:
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 584 "ext/standard/var_unserializer.re"
+#line 587 "ext/standard/var_unserializer.re"
 	{
 	size_t len, maxlen;
 	char *str;
@@ -926,7 +929,7 @@ yy48:
 	ZVAL_STRINGL(*rval, str, len, 1);
 	return 1;
 }
-#line 930 "ext/standard/var_unserializer.c"
+#line 933 "ext/standard/var_unserializer.c"
 yy53:
 	yych = *++YYCURSOR;
 	if (yych <= '/') {
@@ -1014,7 +1017,7 @@ yy61:
 	}
 yy63:
 	++YYCURSOR;
-#line 574 "ext/standard/var_unserializer.re"
+#line 577 "ext/standard/var_unserializer.re"
 	{
 #if SIZEOF_LONG == 4
 use_double:
@@ -1024,7 +1027,7 @@ use_double:
 	ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
 	return 1;
 }
-#line 1028 "ext/standard/var_unserializer.c"
+#line 1031 "ext/standard/var_unserializer.c"
 yy65:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1083,7 +1086,7 @@ yy73:
 	yych = *++YYCURSOR;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 559 "ext/standard/var_unserializer.re"
+#line 562 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
@@ -1098,7 +1101,7 @@ yy73:
 
 	return 1;
 }
-#line 1102 "ext/standard/var_unserializer.c"
+#line 1105 "ext/standard/var_unserializer.c"
 yy76:
 	yych = *++YYCURSOR;
 	if (yych == 'N') goto yy73;
@@ -1125,7 +1128,7 @@ yy79:
 	if (yych <= '9') goto yy79;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 532 "ext/standard/var_unserializer.re"
+#line 535 "ext/standard/var_unserializer.re"
 	{
 #if SIZEOF_LONG == 4
 	int digits = YYCURSOR - start - 3;
@@ -1152,7 +1155,7 @@ yy79:
 	ZVAL_LONG(*rval, parse_iv(start + 2));
 	return 1;
 }
-#line 1156 "ext/standard/var_unserializer.c"
+#line 1159 "ext/standard/var_unserializer.c"
 yy83:
 	yych = *++YYCURSOR;
 	if (yych <= '/') goto yy18;
@@ -1160,24 +1163,24 @@ yy83:
 	yych = *++YYCURSOR;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 525 "ext/standard/var_unserializer.re"
+#line 528 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
 	ZVAL_BOOL(*rval, parse_iv(start + 2));
 	return 1;
 }
-#line 1171 "ext/standard/var_unserializer.c"
+#line 1174 "ext/standard/var_unserializer.c"
 yy87:
 	++YYCURSOR;
-#line 518 "ext/standard/var_unserializer.re"
+#line 521 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
 	ZVAL_NULL(*rval);
 	return 1;
 }
-#line 1181 "ext/standard/var_unserializer.c"
+#line 1184 "ext/standard/var_unserializer.c"
 yy89:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1200,7 +1203,7 @@ yy91:
 	if (yych <= '9') goto yy91;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 495 "ext/standard/var_unserializer.re"
+#line 498 "ext/standard/var_unserializer.re"
 	{
 	long id;
 
@@ -1223,7 +1226,7 @@ yy91:
 	
 	return 1;
 }
-#line 1227 "ext/standard/var_unserializer.c"
+#line 1230 "ext/standard/var_unserializer.c"
 yy95:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1246,7 +1249,7 @@ yy97:
 	if (yych <= '9') goto yy97;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 474 "ext/standard/var_unserializer.re"
+#line 477 "ext/standard/var_unserializer.re"
 	{
 	long id;
 
@@ -1267,9 +1270,9 @@ yy97:
 	
 	return 1;
 }
-#line 1271 "ext/standard/var_unserializer.c"
+#line 1274 "ext/standard/var_unserializer.c"
 }
-#line 823 "ext/standard/var_unserializer.re"
+#line 826 "ext/standard/var_unserializer.re"
 
 
 	return 0;
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 1f71bb759d4..b3f5d29ca21 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -400,9 +400,12 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
 
 	(*p) += 2;
 	
-	if (ce->unserialize == NULL) {
+	if (ce->serialize == NULL) {
 		object_init_ex(*rval, ce);
-	} else if (ce->unserialize(rval, ce, (const unsigned char*)*p, elements, (zend_unserialize_data *)var_hash TSRMLS_CC) != SUCCESS) {
+	} else {
+		/* If this class implements Serializable, it should not land here but in object_custom(). The passed string
+		obviously doesn't descend from the regular serializer. */
+		zend_error(E_WARNING, "Erroneous data format for unserializing '%s'", ce->name);
 		return 0;
 	}