1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
Index: php5-5.3.3/ext/spl/spl_array.c
===================================================================
--- php5-5.3.3.orig/ext/spl/spl_array.c 2014-07-17 22:46:55.000000000 +0200
+++ php5-5.3.3/ext/spl/spl_array.c 2014-07-17 22:47:57.000000000 +0200
@@ -1714,7 +1714,7 @@
++p;
ALLOC_INIT_ZVAL(pmembers);
- if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC)) {
+ if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
zval_ptr_dtor(&pmembers);
goto outexcept;
}
Index: php5-5.3.3/ext/spl/spl_observer.c
===================================================================
--- php5-5.3.3.orig/ext/spl/spl_observer.c 2014-07-17 22:46:55.000000000 +0200
+++ php5-5.3.3/ext/spl/spl_observer.c 2014-07-17 22:46:55.000000000 +0200
@@ -686,7 +686,7 @@
++p;
ALLOC_INIT_ZVAL(pmembers);
- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
zval_ptr_dtor(&pmembers);
goto outexcept;
}
Index: php5-5.3.3/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
===================================================================
--- php5-5.3.3.orig/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt 2014-07-17 22:46:55.000000000 +0200
+++ php5-5.3.3/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt 2014-07-17 22:51:01.000000000 +0200
@@ -7,6 +7,7 @@
'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',
);
foreach($badblobs as $blob) {
try {
@@ -17,6 +18,7 @@
echo $e->getMessage()."\n";
}
}
+echo "DONE\n";
--EXPECTF--
Error at offset 6 of 34 bytes
Error at offset 46 of 89 bytes
@@ -42,4 +44,5 @@
}
}
}
-
+Error at offset 79 of 78 bytes
+DONE
|
