clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-23 10:57:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix bug #67492: unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion

Browse Source
This commit is contained in:
Stanislav Malyshev 2014-06-21 19:46:16 -07:00
parent 2a29add9e4
commit a374dfab56
3 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ext/spl/spl_array.c
View File

@ -1804,7 +1804,7 @@ SPL_METHOD(Array, unserialize)
++p;
ALLOC_INIT_ZVAL(pmembers);
if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
zval_ptr_dtor(&pmembers);
goto outexcept;
}

2
ext/spl/spl_observer.c
View File

@ -914,7 +914,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
++p;
ALLOC_INIT_ZVAL(pmembers);
if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
zval_ptr_dtor(&pmembers);
goto outexcept;
}

5
ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
View File

@ -7,6 +7,7 @@ $badblobs = array(
'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',
);
foreach($badblobs as $blob) {
try {
@ -17,6 +18,7 @@ try {
echo $e->getMessage()."\n";
}
}
echo "DONE\n";
--EXPECTF--
Error at offset 6 of 34 bytes
Error at offset 46 of 89 bytes
@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) {
}
}
}
Error at offset 79 of 78 bytes
DONE