Fixed bug #34045 (Buffer overflow with serialized object)

2024-11-24 10:24:11 +08:00 · 2005-08-10 06:37:19 +00:00 · 2005-08-10 06:37:19 +00:00 · f0f1557998
commit f0f1557998
parent 1a29376c07
4 changed files with 37 additions and 0 deletions
--- a/1
+++ b/1
@ -10,6 +10,7 @@ PHP                                                                        NEWS
 - Fixed "make test" to work for phpized extensions. (Hartmut, Jani)
 - Fixed failing queries (FALSE returned) with mysqli_query() on 64 bit systems.
  (Andrey)
+- Fixed bug #34045 (Buffer overflow with serialized object). (Dmitry)
 - Fixed bug #33999 (object remains object when cast to int). (Dmitry)
 - Fixed bug #33996 (No information given for fatal error on passing invalid
  value to typed argument). (Dmitry)
--- a/Zend/tests/bug34045.phpt
+++ b/Zend/tests/bug34045.phpt
@ -0,0 +1,28 @@
+--TEST--
+Bug #34045 (Buffer overflow with serialized object)
+--FILE--
+<?php
+class BasicSingleton
+{
+    private static $instance;
+
+    public function __wakeup() {
+        self::$instance = $this;
+    }
+
+    public static function singleton() {
+        if (!(self::$instance instanceof BasicSingleton)) {
+            $c = __CLASS__;
+            self::$instance = new $c;
+        }
+        return self::$instance;
+    }
+}
+
+$db = BasicSingleton::singleton();
+$db_str = serialize($db);
+$db2 = unserialize($db_str);
+echo "ok\n";
+?>
+--EXPECT--
+ok
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@ -1838,10 +1838,14 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY)
 		}

 		EG(current_execute_data) = EXECUTE_DATA;
+
+/*	We shouldn't fix bad extensions here,
+    because it can break proper ones (Bug #34045)
 		if (!EX(function_state).function->common.return_reference) {
 			EX_T(opline->result.u.var).var.ptr->is_ref = 0;
 			EX_T(opline->result.u.var).var.ptr->refcount = 1;
 		}
+*/
 		if (!return_value_used) {
 			zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
 		}
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@ -187,10 +187,14 @@ static int zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS)
 		}

 		EG(current_execute_data) = execute_data;
+
+/*	We shouldn't fix bad extensions here,
+    because it can break proper ones (Bug #34045)
 		if (!EX(function_state).function->common.return_reference) {
 			EX_T(opline->result.u.var).var.ptr->is_ref = 0;
 			EX_T(opline->result.u.var).var.ptr->refcount = 1;
 		}
+*/
 		if (!return_value_used) {
 			zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
 		}