mirror of
https://github.com/php/php-src.git
synced 2024-09-22 02:17:32 +00:00
Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize)
This commit is contained in:
parent
55f7747bff
commit
caebb76131
2
NEWS
2
NEWS
@ -3,6 +3,8 @@ PHP NEWS
|
||||
?? ??? 2015, PHP 5.5.23
|
||||
|
||||
- Core:
|
||||
. Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize).
|
||||
(Laruence)
|
||||
. Fixed bug #69121 (Segfault in get_current_user when script owner is not
|
||||
in passwd with ZTS build). (dan at syneto dot net)
|
||||
. Fixed bug #65593 (Segfault when calling ob_start from output buffering
|
||||
|
10
ext/standard/tests/serialize/bug69139.phpt
Normal file
10
ext/standard/tests/serialize/bug69139.phpt
Normal file
@ -0,0 +1,10 @@
|
||||
--TEST--
|
||||
Bug #69139 (Crash in gc_zval_possible_root on unserialize)
|
||||
--FILE--
|
||||
<?php
|
||||
$str = 'a:1126666:{i:0;r:1;i:-09610;r:1;i:-0;i:0;i:0;O:1:"A":2119X:i:0;i:0;i:0;i:0;i:0;O:1:"A":2116:{i:0;r:5;i:-096766610;r:1;i:-610;r:1;i:0;i:0;';
|
||||
@unserialize($str);
|
||||
echo "Alive";
|
||||
?>
|
||||
--EXPECT--
|
||||
Alive
|
@ -1,4 +1,4 @@
|
||||
/* Generated by re2c 0.13.7.5 on Thu Jan 1 14:43:18 2015 */
|
||||
/* Generated by re2c 0.13.5 */
|
||||
#line 1 "ext/standard/var_unserializer.re"
|
||||
/*
|
||||
+----------------------------------------------------------------------+
|
||||
@ -320,8 +320,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
|
||||
if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) {
|
||||
zval_dtor(key);
|
||||
FREE_ZVAL(key);
|
||||
zval_dtor(data);
|
||||
FREE_ZVAL(data);
|
||||
zval_ptr_dtor(&data);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -483,7 +482,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
|
||||
|
||||
|
||||
|
||||
#line 487 "ext/standard/var_unserializer.c"
|
||||
#line 486 "ext/standard/var_unserializer.c"
|
||||
{
|
||||
YYCTYPE yych;
|
||||
static const unsigned char yybm[] = {
|
||||
@ -543,9 +542,9 @@ yy2:
|
||||
yych = *(YYMARKER = ++YYCURSOR);
|
||||
if (yych == ':') goto yy95;
|
||||
yy3:
|
||||
#line 838 "ext/standard/var_unserializer.re"
|
||||
#line 837 "ext/standard/var_unserializer.re"
|
||||
{ return 0; }
|
||||
#line 549 "ext/standard/var_unserializer.c"
|
||||
#line 548 "ext/standard/var_unserializer.c"
|
||||
yy4:
|
||||
yych = *(YYMARKER = ++YYCURSOR);
|
||||
if (yych == ':') goto yy89;
|
||||
@ -588,13 +587,13 @@ yy13:
|
||||
goto yy3;
|
||||
yy14:
|
||||
++YYCURSOR;
|
||||
#line 832 "ext/standard/var_unserializer.re"
|
||||
#line 831 "ext/standard/var_unserializer.re"
|
||||
{
|
||||
/* this is the case where we have less data than planned */
|
||||
php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
|
||||
return 0; /* not sure if it should be 0 or 1 here? */
|
||||
}
|
||||
#line 598 "ext/standard/var_unserializer.c"
|
||||
#line 597 "ext/standard/var_unserializer.c"
|
||||
yy16:
|
||||
yych = *++YYCURSOR;
|
||||
goto yy3;
|
||||
@ -620,12 +619,11 @@ yy20:
|
||||
if (yybm[0+yych] & 128) {
|
||||
goto yy20;
|
||||
}
|
||||
if (yych <= '/') goto yy18;
|
||||
if (yych >= ';') goto yy18;
|
||||
if (yych != ':') goto yy18;
|
||||
yych = *++YYCURSOR;
|
||||
if (yych != '"') goto yy18;
|
||||
++YYCURSOR;
|
||||
#line 686 "ext/standard/var_unserializer.re"
|
||||
#line 685 "ext/standard/var_unserializer.re"
|
||||
{
|
||||
size_t len, len2, len3, maxlen;
|
||||
long elements;
|
||||
@ -771,7 +769,7 @@ yy20:
|
||||
|
||||
return object_common2(UNSERIALIZE_PASSTHRU, elements);
|
||||
}
|
||||
#line 775 "ext/standard/var_unserializer.c"
|
||||
#line 773 "ext/standard/var_unserializer.c"
|
||||
yy25:
|
||||
yych = *++YYCURSOR;
|
||||
if (yych <= ',') {
|
||||
@ -796,7 +794,7 @@ yy27:
|
||||
yych = *++YYCURSOR;
|
||||
if (yych != '"') goto yy18;
|
||||
++YYCURSOR;
|
||||
#line 678 "ext/standard/var_unserializer.re"
|
||||
#line 677 "ext/standard/var_unserializer.re"
|
||||
{
|
||||
|
||||
INIT_PZVAL(*rval);
|
||||
@ -804,7 +802,7 @@ yy27:
|
||||
return object_common2(UNSERIALIZE_PASSTHRU,
|
||||
object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
|
||||
}
|
||||
#line 808 "ext/standard/var_unserializer.c"
|
||||
#line 806 "ext/standard/var_unserializer.c"
|
||||
yy32:
|
||||
yych = *++YYCURSOR;
|
||||
if (yych == '+') goto yy33;
|
||||
@ -825,7 +823,7 @@ yy34:
|
||||
yych = *++YYCURSOR;
|
||||
if (yych != '{') goto yy18;
|
||||
++YYCURSOR;
|
||||
#line 658 "ext/standard/var_unserializer.re"
|
||||
#line 657 "ext/standard/var_unserializer.re"
|
||||
{
|
||||
long elements = parse_iv(start + 2);
|
||||
/* use iv() not uiv() in order to check data range */
|
||||
@ -845,7 +843,7 @@ yy34:
|
||||
|
||||
return finish_nested_data(UNSERIALIZE_PASSTHRU);
|
||||
}
|
||||
#line 849 "ext/standard/var_unserializer.c"
|
||||
#line 847 "ext/standard/var_unserializer.c"
|
||||
yy39:
|
||||
yych = *++YYCURSOR;
|
||||
if (yych == '+') goto yy40;
|
||||
@ -866,7 +864,7 @@ yy41:
|
||||
yych = *++YYCURSOR;
|
||||
if (yych != '"') goto yy18;
|
||||
++YYCURSOR;
|
||||
#line 629 "ext/standard/var_unserializer.re"
|
||||
#line 628 "ext/standard/var_unserializer.re"
|
||||
{
|
||||
size_t len, maxlen;
|
||||
char *str;
|
||||
@ -895,7 +893,7 @@ yy41:
|
||||
ZVAL_STRINGL(*rval, str, len, 0);
|
||||
return 1;
|
||||
}
|
||||
#line 899 "ext/standard/var_unserializer.c"
|
||||
#line 897 "ext/standard/var_unserializer.c"
|
||||
yy46:
|
||||
yych = *++YYCURSOR;
|
||||
if (yych == '+') goto yy47;
|
||||
@ -916,7 +914,7 @@ yy48:
|
||||
yych = *++YYCURSOR;
|
||||
if (yych != '"') goto yy18;
|
||||
++YYCURSOR;
|
||||
#line 601 "ext/standard/var_unserializer.re"
|
||||
#line 600 "ext/standard/var_unserializer.re"
|
||||
{
|
||||
size_t len, maxlen;
|
||||
char *str;
|
||||
@ -944,7 +942,7 @@ yy48:
|
||||
ZVAL_STRINGL(*rval, str, len, 1);
|
||||
return 1;
|
||||
}
|
||||
#line 948 "ext/standard/var_unserializer.c"
|
||||
#line 946 "ext/standard/var_unserializer.c"
|
||||
yy53:
|
||||
yych = *++YYCURSOR;
|
||||
if (yych <= '/') {
|
||||
@ -1032,7 +1030,7 @@ yy61:
|
||||
}
|
||||
yy63:
|
||||
++YYCURSOR;
|
||||
#line 591 "ext/standard/var_unserializer.re"
|
||||
#line 590 "ext/standard/var_unserializer.re"
|
||||
{
|
||||
#if SIZEOF_LONG == 4
|
||||
use_double:
|
||||
@ -1042,7 +1040,7 @@ use_double:
|
||||
ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
|
||||
return 1;
|
||||
}
|
||||
#line 1046 "ext/standard/var_unserializer.c"
|
||||
#line 1044 "ext/standard/var_unserializer.c"
|
||||
yy65:
|
||||
yych = *++YYCURSOR;
|
||||
if (yych <= ',') {
|
||||
@ -1101,7 +1099,7 @@ yy73:
|
||||
yych = *++YYCURSOR;
|
||||
if (yych != ';') goto yy18;
|
||||
++YYCURSOR;
|
||||
#line 576 "ext/standard/var_unserializer.re"
|
||||
#line 575 "ext/standard/var_unserializer.re"
|
||||
{
|
||||
*p = YYCURSOR;
|
||||
INIT_PZVAL(*rval);
|
||||
@ -1116,7 +1114,7 @@ yy73:
|
||||
|
||||
return 1;
|
||||
}
|
||||
#line 1120 "ext/standard/var_unserializer.c"
|
||||
#line 1118 "ext/standard/var_unserializer.c"
|
||||
yy76:
|
||||
yych = *++YYCURSOR;
|
||||
if (yych == 'N') goto yy73;
|
||||
@ -1143,7 +1141,7 @@ yy79:
|
||||
if (yych <= '9') goto yy79;
|
||||
if (yych != ';') goto yy18;
|
||||
++YYCURSOR;
|
||||
#line 549 "ext/standard/var_unserializer.re"
|
||||
#line 548 "ext/standard/var_unserializer.re"
|
||||
{
|
||||
#if SIZEOF_LONG == 4
|
||||
int digits = YYCURSOR - start - 3;
|
||||
@ -1170,7 +1168,7 @@ yy79:
|
||||
ZVAL_LONG(*rval, parse_iv(start + 2));
|
||||
return 1;
|
||||
}
|
||||
#line 1174 "ext/standard/var_unserializer.c"
|
||||
#line 1172 "ext/standard/var_unserializer.c"
|
||||
yy83:
|
||||
yych = *++YYCURSOR;
|
||||
if (yych <= '/') goto yy18;
|
||||
@ -1178,24 +1176,24 @@ yy83:
|
||||
yych = *++YYCURSOR;
|
||||
if (yych != ';') goto yy18;
|
||||
++YYCURSOR;
|
||||
#line 542 "ext/standard/var_unserializer.re"
|
||||
#line 541 "ext/standard/var_unserializer.re"
|
||||
{
|
||||
*p = YYCURSOR;
|
||||
INIT_PZVAL(*rval);
|
||||
ZVAL_BOOL(*rval, parse_iv(start + 2));
|
||||
return 1;
|
||||
}
|
||||
#line 1189 "ext/standard/var_unserializer.c"
|
||||
#line 1187 "ext/standard/var_unserializer.c"
|
||||
yy87:
|
||||
++YYCURSOR;
|
||||
#line 535 "ext/standard/var_unserializer.re"
|
||||
#line 534 "ext/standard/var_unserializer.re"
|
||||
{
|
||||
*p = YYCURSOR;
|
||||
INIT_PZVAL(*rval);
|
||||
ZVAL_NULL(*rval);
|
||||
return 1;
|
||||
}
|
||||
#line 1199 "ext/standard/var_unserializer.c"
|
||||
#line 1197 "ext/standard/var_unserializer.c"
|
||||
yy89:
|
||||
yych = *++YYCURSOR;
|
||||
if (yych <= ',') {
|
||||
@ -1218,7 +1216,7 @@ yy91:
|
||||
if (yych <= '9') goto yy91;
|
||||
if (yych != ';') goto yy18;
|
||||
++YYCURSOR;
|
||||
#line 512 "ext/standard/var_unserializer.re"
|
||||
#line 511 "ext/standard/var_unserializer.re"
|
||||
{
|
||||
long id;
|
||||
|
||||
@ -1241,7 +1239,7 @@ yy91:
|
||||
|
||||
return 1;
|
||||
}
|
||||
#line 1245 "ext/standard/var_unserializer.c"
|
||||
#line 1243 "ext/standard/var_unserializer.c"
|
||||
yy95:
|
||||
yych = *++YYCURSOR;
|
||||
if (yych <= ',') {
|
||||
@ -1264,7 +1262,7 @@ yy97:
|
||||
if (yych <= '9') goto yy97;
|
||||
if (yych != ';') goto yy18;
|
||||
++YYCURSOR;
|
||||
#line 491 "ext/standard/var_unserializer.re"
|
||||
#line 490 "ext/standard/var_unserializer.re"
|
||||
{
|
||||
long id;
|
||||
|
||||
@ -1285,9 +1283,9 @@ yy97:
|
||||
|
||||
return 1;
|
||||
}
|
||||
#line 1289 "ext/standard/var_unserializer.c"
|
||||
#line 1287 "ext/standard/var_unserializer.c"
|
||||
}
|
||||
#line 840 "ext/standard/var_unserializer.re"
|
||||
#line 839 "ext/standard/var_unserializer.re"
|
||||
|
||||
|
||||
return 0;
|
||||
|
@ -324,8 +324,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
|
||||
if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) {
|
||||
zval_dtor(key);
|
||||
FREE_ZVAL(key);
|
||||
zval_dtor(data);
|
||||
FREE_ZVAL(data);
|
||||
zval_ptr_dtor(&data);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user