1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
From b7fa67742cd8d2b0ca0c0273b157f6ffee9ad6e2 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 26 Jul 2015 17:25:25 -0700
Subject: [PATCH] Fix bug #70068 (Dangling pointer in the unserialization of
ArrayObject items)
---
ext/spl/spl_array.c | 90 +++++++++++++++++++++++----------------------
ext/spl/tests/bug70068.phpt | 9 +++++
2 files changed, 56 insertions(+), 43 deletions(-)
create mode 100644 ext/spl/tests/bug70068.phpt
Index: php5-5.3.3.1/ext/spl/spl_array.c
===================================================================
--- php5-5.3.3.1.orig/ext/spl/spl_array.c 2015-10-19 11:28:15.000000000 +0200
+++ php5-5.3.3.1/ext/spl/spl_array.c 2015-10-19 11:30:41.000000000 +0200
@@ -1673,13 +1673,11 @@
ALLOC_INIT_ZVAL(pflags);
if (!php_var_unserialize(&pflags, &p, s + buf_len, var_hash_p TSRMLS_CC) || Z_TYPE_P(pflags) != IS_LONG) {
- zval_ptr_dtor(&pflags);
goto outexcept;
}
--p; /* for ';' */
flags = Z_LVAL_P(pflags);
- zval_ptr_dtor(&pflags);
/* flags needs to be verified and we also need to verify whether the next
* thing we get is ';'. After that we require an 'm' or somethign else
* where 'm' stands for members and anything else should be an array. If
@@ -1724,9 +1722,16 @@
zval_ptr_dtor(&pmembers);
/* done reading $serialized */
+ if (pflags) {
+ zval_ptr_dtor(&pflags);
+ }
+
return;
outexcept:
+ if (pflags) {
+ zval_ptr_dtor(&pflags);
+ }
zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - (char *)buf), buf_len);
return;
|
