granicus.if.org Git - php/commit

author	Nikita Popov <nikita.ppv@gmail.com>
	Sat, 12 Aug 2017 11:00:39 +0000 (13:00 +0200)
committer	Nikita Popov <nikita.ppv@gmail.com>
	Sat, 12 Aug 2017 11:11:35 +0000 (13:11 +0200)
commit	1a23ebc1fff59bf480ca92963b36eba5c1b904c4
tree	14168c1726046a05c6fff13bf77eb8f6f77725e1	tree \| snapshot
parent	b59718bdc439f82fa1beae2c4ea1582c38bc8de3	commit \| diff

Fixed bug #74103 and bug #75054

Directly fail unserialization when trying to acquire an r/R
reference to an UNDEF HT slot. Previously this left an UNDEF and
later deleted the index/key from the HT.

What actually caused the issue here is a combination of two
factors: First, the key deletion was performed using the hash API,
rather than the symtable API, such that the element was not actually
removed if it used an integral string key. Second, a subsequent
deletion operation, while collecting trailing UNDEF ranges, would
mark the element as available for reuse (leaving a corrupted HT
state with nNumOfElemnts > nNumUsed).

Fix this by failing early and dropping the deletion code.

NEWS		diff \| blob \| history
ext/standard/tests/serialize/bug74103.phpt	[new file with mode: 0644]	blob
ext/standard/tests/serialize/bug75054.phpt	[new file with mode: 0644]	blob
ext/standard/var_unserializer.c		diff \| blob \| history
ext/standard/var_unserializer.re		diff \| blob \| history