mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-11-23 18:04:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fixed bug #74111

Browse Source
This commit is contained in:
Nikita Popov 2017-06-25 21:15:26 +02:00 committed by Stanislav Malyshev
parent 8dc4f4dc9e
commit f8c514ba6b
4 changed files with 503 additions and 519 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ext/standard/tests/serialize/bug25378.phpt
View File

@ -42,7 +42,7 @@ bool(false)
Notice: unserialize(): Error at offset 17 of 33 bytes in %sbug25378.php on line %d
bool(false)
Notice: unserialize(): Error at offset 33 of 32 bytes in %sbug25378.php on line %d
Notice: unserialize(): Error at offset 32 of 32 bytes in %sbug25378.php on line %d
bool(false)
Notice: unserialize(): Error at offset 2 of 13 bytes in %sbug25378.php on line %d

10
ext/standard/tests/serialize/bug74111.phpt Normal file
View File

@ -0,0 +1,10 @@
--TEST--
Bug #74111: Heap buffer overread (READ: 1) finish_nested_data from unserialize
--FILE--
<?php
$s = 'O:8:"stdClass":00000000';
var_dump(unserialize($s));
?>
--EXPECTF--
Notice: unserialize(): Error at offset 25 of 23 bytes in %s on line %d
bool(false)

999
ext/standard/var_unserializer.c
View File

File diff suppressed because it is too large Load Diff

11
ext/standard/var_unserializer.re
View File

@ -410,13 +410,12 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
static inline int finish_nested_data(UNSERIALIZE_PARAMETER)
{
if (*((*p)++) == '}')
return 1;
if (*p >= max || **p != '}') {
return 0;
}
#if SOMETHING_NEW_MIGHT_LEAD_TO_CRASH_ENABLE_IF_YOU_ARE_BRAVE
zval_ptr_dtor(rval);
#endif
return 0;
(*p)++;
return 1;
}
static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)