Fixed bug #75075 (unpack with X* causes infinity loop)

2024-11-24 10:24:11 +08:00 · 2017-08-15 12:34:13 +08:00 · 2017-08-15 12:34:13 +08:00 · d8c80af71e
commit d8c80af71e
parent 2def85688d
3 changed files with 15 additions and 0 deletions
--- a/1
+++ b/1
@ -53,6 +53,7 @@ PHP                                                                        NEWS
  . Fixed bug #75015 (Crash in recursive iterator destructors). (Julien)

 - Standard:
+  . Fixed bug #75075 (unpack with X* causes infinity loop). (Laruence)
  . Fixed bug #74103 (heap-use-after-free when unserializing invalid array
    size). (Nikita)
  . Fixed bug #75054 (A Denial of Service Vulnerability was found when
--- a/ext/standard/pack.c
+++ b/ext/standard/pack.c
@ -782,6 +782,10 @@ PHP_FUNCTION(unpack)
 			/* Never use any input */
 			case 'X':
 				size = -1;
+				if (arg < 0) {
+					php_error_docref(NULL, E_WARNING, "Type %c: '*' ignored", type);
+					arg = 1;
+				}
 				break;

 			case '@':
--- a/ext/standard/tests/strings/bug75075.phpt
+++ b/ext/standard/tests/strings/bug75075.phpt
@ -0,0 +1,10 @@
+--TEST--
+Bug #75075 (unpack with X* causes infinity loop)
+--FILE--
+<?php
+var_dump(unpack("X*", ""));
+?>
+--EXPECTF--
+Warning: unpack(): Type X: '*' ignored in %sbug75075.php on line %d
+array(0) {
+}