Fix bug #73029 - Missing type check when unserializing SplArray

(cherry picked from commit 6d16288150be33392a3249e417a0929881feb9a2)

Conflicts:
	ext/spl/spl_array.c

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 60cbac572697ead5ca180c976cda09928d94005d..21f84038824e5c0511df01927f3514c34acd5077 100644 (file)
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -295,7 +295,7 @@ static zval *spl_array_get_dimension_ptr(int check_inherited, spl_array_object *
        zend_string *offset_key;
        HashTable *ht = spl_array_get_hash_table(intern);
 
-       if (!offset || Z_ISUNDEF_P(offset)) {
+       if (!offset || Z_ISUNDEF_P(offset) || !ht) {
                return &EG(uninitialized_zval);
        }
 
@@ -1796,7 +1796,8 @@ SPL_METHOD(Array, unserialize)
                intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK;
                zval_ptr_dtor(&intern->array);
                ZVAL_UNDEF(&intern->array);
-               if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash)) {
+               if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash)
+                               || (Z_TYPE(intern->array) != IS_ARRAY && Z_TYPE(intern->array) != IS_OBJECT)) {
                        goto outexcept;
                }
                var_push_dtor(&var_hash, &intern->array);

diff --git a/ext/spl/tests/bug73029.phpt b/ext/spl/tests/bug73029.phpt
new file mode 100644 (file)
index 0000000..a379f80
--- /dev/null
+++ b/ext/spl/tests/bug73029.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #73029: Missing type check when unserializing SplArray
+--FILE--
+<?php
+try {
+$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}';
+$m = unserialize($a);
+$x = $m[2];
+} catch(UnexpectedValueException $e) {
+       print $e->getMessage() . "\n";
+}
+?>
+DONE
+--EXPECTF--
+Error at offset 10 of 19 bytes
+DONE