mirror of
https://github.com/php/php-src.git
synced 2024-09-22 02:17:32 +00:00
Fixed bug #62836 (Seg fault or broken object references on unserialize())
This commit is contained in:
parent
8ac61a3e60
commit
0b23da1c74
4
NEWS
4
NEWS
@ -26,6 +26,10 @@ PHP NEWS
|
||||
. Fixed bug (segfault due to PS(mod_user_implemented) not be reseted
|
||||
when close handler call exit). (Laruence)
|
||||
|
||||
- Standard:
|
||||
. Fixed bug #62836 (Seg fault or broken object references on unserialize()).
|
||||
(Laruence)
|
||||
|
||||
|
||||
?? ??? 2012, PHP 5.4.6
|
||||
|
||||
|
34
ext/standard/tests/serialize/bug62836_1.phpt
Normal file
34
ext/standard/tests/serialize/bug62836_1.phpt
Normal file
@ -0,0 +1,34 @@
|
||||
--TEST--
|
||||
Bug #62836 (Seg fault or broken object references on unserialize())
|
||||
--FILE--
|
||||
<?php
|
||||
$serialized_object='O:1:"A":4:{s:1:"b";O:1:"B":0:{}s:2:"b1";r:2;s:1:"c";O:1:"B":0:{}s:2:"c1";r:4;}';
|
||||
function __autoload($name) {
|
||||
unserialize("i:4;");
|
||||
eval("class $name {} ");
|
||||
}
|
||||
|
||||
print_r(unserialize($serialized_object));
|
||||
echo "okey";
|
||||
?>
|
||||
--EXPECT--
|
||||
A Object
|
||||
(
|
||||
[b] => B Object
|
||||
(
|
||||
)
|
||||
|
||||
[b1] => B Object
|
||||
(
|
||||
)
|
||||
|
||||
[c] => B Object
|
||||
(
|
||||
)
|
||||
|
||||
[c1] => B Object
|
||||
(
|
||||
)
|
||||
|
||||
)
|
||||
okey
|
37
ext/standard/tests/serialize/bug62836_2.phpt
Normal file
37
ext/standard/tests/serialize/bug62836_2.phpt
Normal file
@ -0,0 +1,37 @@
|
||||
--TEST--
|
||||
Bug #62836 (Seg fault or broken object references on unserialize())
|
||||
--FILE--
|
||||
<?php
|
||||
$serialized_object='O:1:"A":4:{s:1:"b";O:1:"B":0:{}s:2:"b1";r:2;s:1:"c";O:1:"B":0:{}s:2:"c1";r:4;}';
|
||||
|
||||
ini_set('unserialize_callback_func','mycallback');
|
||||
|
||||
function mycallback($classname) {
|
||||
unserialize("i:4;");
|
||||
eval ("class $classname {} ");
|
||||
}
|
||||
|
||||
print_r(unserialize($serialized_object));
|
||||
echo "okey";
|
||||
?>
|
||||
--EXPECT--
|
||||
A Object
|
||||
(
|
||||
[b] => B Object
|
||||
(
|
||||
)
|
||||
|
||||
[b1] => B Object
|
||||
(
|
||||
)
|
||||
|
||||
[c] => B Object
|
||||
(
|
||||
)
|
||||
|
||||
[c1] => B Object
|
||||
(
|
||||
)
|
||||
|
||||
)
|
||||
okey
|
@ -620,10 +620,13 @@ yy20:
|
||||
|
||||
do {
|
||||
/* Try to find class directly */
|
||||
BG(serialize_lock) = 1;
|
||||
if (zend_lookup_class(class_name, len2, &pce TSRMLS_CC) == SUCCESS) {
|
||||
BG(serialize_lock) = 0;
|
||||
ce = *pce;
|
||||
break;
|
||||
}
|
||||
BG(serialize_lock) = 0;
|
||||
|
||||
/* Check for unserialize callback */
|
||||
if ((PG(unserialize_callback_func) == NULL) || (PG(unserialize_callback_func)[0] == '\0')) {
|
||||
@ -638,7 +641,9 @@ yy20:
|
||||
args[0] = &arg_func_name;
|
||||
MAKE_STD_ZVAL(arg_func_name);
|
||||
ZVAL_STRING(arg_func_name, class_name, 1);
|
||||
BG(serialize_lock) = 1;
|
||||
if (call_user_function_ex(CG(function_table), NULL, user_func, &retval_ptr, 1, args, 0, NULL TSRMLS_CC) != SUCCESS) {
|
||||
BG(serialize_lock) = 0;
|
||||
php_error_docref(NULL TSRMLS_CC, E_WARNING, "defined (%s) but not found", user_func->value.str.val);
|
||||
incomplete_class = 1;
|
||||
ce = PHP_IC_ENTRY;
|
||||
@ -646,6 +651,7 @@ yy20:
|
||||
zval_ptr_dtor(&arg_func_name);
|
||||
break;
|
||||
}
|
||||
BG(serialize_lock) = 0;
|
||||
if (retval_ptr) {
|
||||
zval_ptr_dtor(&retval_ptr);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user