We also need to discard old entries in the ref_props HT when values
are overwritten.
We should really forbid these kinds of overwrites. I believe they
can only occur in manually crafted serialization strings, and
cause so many problems...
Fixes oss-fuzz #28257.
Missed a check for info in this code. Add it, and add an assertion
in type source removal to make it easier to catch this issue.
Fixes oss-fuzz #28208 and #28257.
Handle one case the previous patch did not account for: If
unserialization of data fails, we should still register a ref
source.
Also add an extra test for a reference between two typed properties,
as this used to be handled incorrectly earlier.
Only register the slot for adding ref sources later if we didn't
immediately register one. Also avoids leaking a ref source if
it is added early and the assignment fails.
Fixes oss-fuzz #27628.
Add ZVAL_CHAR/RETVAL_CHAR/RETURN_CHAR as a shortcut for using
ZVAL_INTERNED_STRING and ZSTR_CHAR.
Add zend_string_init_fast() as a helper for the empty string /
one char interned string / zend_string_init() pattern.
Also add corresponding ZVAL_STRINGL_FAST etc macros.
Closes GH-5684.
Add a max_depth option to unserialize and an unserialize_max_depth
ini setting, which can be used to control the depth limit. The
default value is 4096.
This option is intended to prevent stack overflows during the
unserialization of deeply nested structures.
This fixes bug #78549 and addresses oss-fuzz #17581, #17589, #17664,
and #17788.
This fixes two issues:
* Negative the value in an unsigned type to avoid signed overflow.
* Treat -0 as 0 rather than an invalid number that gets converted
to ZEND_LONG_MIN.
When storing two temporary variables for delayed __unserialize() calls,
we have to make sure that both fit into the same linked list element.
To that end we introduce the internal API `tmp_var` which allows to
reserve `num` slots in the same list element.
We also fix the `var_dtor_entries` struct definition to use the proper
size, namely `VAR_DTOR_ENTRIES_MAX`.
RFC: https://wiki.php.net/rfc/typed_properties_v2
This is a squash of PR #3734, which is a squash of PR #3313.
Co-authored-by: Bob Weinand <bobwei9@hotmail.com>
Co-authored-by: Joe Watkins <krakjoe@php.net>
Co-authored-by: Dmitry Stogov <dmitry@zend.com>
The $Id$ keywords were used in Subversion where they can be substituted
with filename, last revision number change, last changed date, and last
user who changed it.
In Git this functionality is different and can be done with Git attribute
ident. These need to be defined manually for each file in the
.gitattributes file and are afterwards replaced with 40-character
hexadecimal blob object name which is based only on the particular file
contents.
This patch simplifies handling of $Id$ keywords by removing them since
they are not used anymore.
Validate that "C" serialization payload is followed by "}" prior to
calling the unserialize() handler. This mitigates issues caused by
unserialize() not correctly handling strings that are not NUL
terminated. Making sure that there is a "}" at the end avoids the
problem.