mirror of
https://github.com/php/php-src.git
synced 2024-09-22 10:27:25 +00:00
Merge branch 'PHP-7.1'
* PHP-7.1: Fix #73832 - leave the table in a safe state if the size is too big. Fix bug #73831 - NULL Pointer Dereference while unserialize php object
This commit is contained in:
commit
13c18d4601
@ -173,7 +173,6 @@ ZEND_API void ZEND_FASTCALL _zend_hash_init(HashTable *ht, uint32_t nSize, dtor_
|
||||
GC_REFCOUNT(ht) = 1;
|
||||
GC_TYPE_INFO(ht) = IS_ARRAY | (persistent ? 0 : (GC_COLLECTABLE << GC_FLAGS_SHIFT));
|
||||
ht->u.flags = (persistent ? HASH_FLAG_PERSISTENT : 0) | HASH_FLAG_APPLY_PROTECTION | HASH_FLAG_STATIC_KEYS;
|
||||
ht->nTableSize = zend_hash_check_size(nSize);
|
||||
ht->nTableMask = HT_MIN_MASK;
|
||||
HT_SET_DATA_ADDR(ht, &uninitialized_bucket);
|
||||
ht->nNumUsed = 0;
|
||||
@ -181,6 +180,7 @@ ZEND_API void ZEND_FASTCALL _zend_hash_init(HashTable *ht, uint32_t nSize, dtor_
|
||||
ht->nInternalPointer = HT_INVALID_IDX;
|
||||
ht->nNextFreeElement = 0;
|
||||
ht->pDestructor = pDestructor;
|
||||
ht->nTableSize = zend_hash_check_size(nSize);
|
||||
}
|
||||
|
||||
static void ZEND_FASTCALL zend_hash_packed_grow(HashTable *ht)
|
||||
|
23
ext/wddx/tests/bug73831.phpt
Normal file
23
ext/wddx/tests/bug73831.phpt
Normal file
@ -0,0 +1,23 @@
|
||||
--TEST--
|
||||
Bug #73831 (NULL Pointer Dereference while unserialize php object)
|
||||
--SKIPIF--
|
||||
<?php if (!extension_loaded("wddx")) print "skip"; ?>
|
||||
--FILE--
|
||||
<?php
|
||||
$xml = <<<EOF
|
||||
<?xml version="1.0" ?>
|
||||
<wddxPacket version="1.0">
|
||||
<struct>
|
||||
<var name="php_class_name">
|
||||
<string>Throwable</string>
|
||||
</var>
|
||||
</struct>
|
||||
</wddxPacket>
|
||||
EOF;
|
||||
try {
|
||||
$wddx = wddx_deserialize($xml);
|
||||
} catch(Error $e) { echo $e->getMessage(); }
|
||||
?>
|
||||
--EXPECTF--
|
||||
Warning: wddx_deserialize(): Class throwable can not be instantiated in %sbug73831.php on line %d
|
||||
Cannot instantiate interface Throwable
|
@ -908,7 +908,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
|
||||
|
||||
if (!strcmp((char *)name, EL_BINARY)) {
|
||||
zend_string *new_str = NULL;
|
||||
|
||||
|
||||
if (ZSTR_EMPTY_ALLOC() != Z_STR(ent1->data)) {
|
||||
new_str = php_base64_decode(
|
||||
(unsigned char *)Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
|
||||
@ -967,22 +967,26 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
|
||||
php_error_docref(NULL, E_WARNING, "Class %s can not be unserialized", Z_STRVAL(ent1->data));
|
||||
} else {
|
||||
/* Initialize target object */
|
||||
object_init_ex(&obj, pce);
|
||||
if (object_init_ex(&obj, pce) != SUCCESS || EG(exception)) {
|
||||
zval_ptr_dtor(&ent2->data);
|
||||
ZVAL_UNDEF(&ent2->data);
|
||||
php_error_docref(NULL, E_WARNING, "Class %s can not be instantiated", Z_STRVAL(ent1->data));
|
||||
} else {
|
||||
/* Merge current hashtable with object's default properties */
|
||||
zend_hash_merge(Z_OBJPROP(obj),
|
||||
Z_ARRVAL(ent2->data),
|
||||
zval_add_ref, 0);
|
||||
|
||||
/* Merge current hashtable with object's default properties */
|
||||
zend_hash_merge(Z_OBJPROP(obj),
|
||||
Z_ARRVAL(ent2->data),
|
||||
zval_add_ref, 0);
|
||||
if (incomplete_class) {
|
||||
php_store_class_name(&obj, Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
|
||||
}
|
||||
|
||||
if (incomplete_class) {
|
||||
php_store_class_name(&obj, Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
|
||||
/* Clean up old array entry */
|
||||
zval_ptr_dtor(&ent2->data);
|
||||
|
||||
/* Set stack entry to point to the newly created object */
|
||||
ZVAL_COPY_VALUE(&ent2->data, &obj);
|
||||
}
|
||||
|
||||
/* Clean up old array entry */
|
||||
zval_ptr_dtor(&ent2->data);
|
||||
|
||||
/* Set stack entry to point to the newly created object */
|
||||
ZVAL_COPY_VALUE(&ent2->data, &obj);
|
||||
}
|
||||
|
||||
/* Clean up class name var entry */
|
||||
|
Loading…
Reference in New Issue
Block a user