mirror of
https://github.com/php/php-src.git
synced 2024-09-22 02:17:32 +00:00
Fix leak in SplObjectStorage unserialization
The result of php_var_unserialize always needs to be destroyed, even if the call failed.
This commit is contained in:
parent
81cefab7b0
commit
8873df8e86
@ -804,12 +804,14 @@ SPL_METHOD(SplObjectStorage, unserialize)
|
||||
}
|
||||
/* store reference to allow cross-references between different elements */
|
||||
if (!php_var_unserialize(&entry, &p, s + buf_len, &var_hash)) {
|
||||
zval_ptr_dtor(&entry);
|
||||
goto outexcept;
|
||||
}
|
||||
if (*p == ',') { /* new version has inf */
|
||||
++p;
|
||||
if (!php_var_unserialize(&inf, &p, s + buf_len, &var_hash)) {
|
||||
zval_ptr_dtor(&entry);
|
||||
zval_ptr_dtor(&inf);
|
||||
goto outexcept;
|
||||
}
|
||||
}
|
||||
|
16
ext/standard/tests/serialize/unserialize_leak.phpt
Normal file
16
ext/standard/tests/serialize/unserialize_leak.phpt
Normal file
@ -0,0 +1,16 @@
|
||||
--TEST--
|
||||
Unserialize leak in SplObjectStorage
|
||||
--FILE--
|
||||
<?php
|
||||
|
||||
$payload = 'C:16:"SplObjectStorage":113:{x:i:2;O:8:"stdClass":1:{},a:2:{s:4:"prev";i:2;s:4:"next";O:8:"stdClass":0:{}};r:7;,R:2;s:4:"next";;r:3;};m:a:0:{}}';
|
||||
try {
|
||||
var_dump(unserialize($payload));
|
||||
} catch (Exception $e) {
|
||||
echo $e->getMessage(), "\n";
|
||||
}
|
||||
|
||||
?>
|
||||
--EXPECTF--
|
||||
Notice: SplObjectStorage::unserialize(): Unexpected end of serialized data in %s on line %d
|
||||
Error at offset 24 of 113 bytes
|
Loading…
Reference in New Issue
Block a user