Fix segfault when unserializing abstract class

author Nikita Popov <nikita.ppv@gmail.com>

Mon, 16 Sep 2019 11:52:52 +0000 (13:52 +0200)

committer Nikita Popov <nikita.ppv@gmail.com>

Mon, 16 Sep 2019 11:52:52 +0000 (13:52 +0200)
author Nikita Popov <nikita.ppv@gmail.com>
Mon, 16 Sep 2019 11:52:52 +0000 (13:52 +0200)
committer Nikita Popov <nikita.ppv@gmail.com>
Mon, 16 Sep 2019 11:52:52 +0000 (13:52 +0200)
diff --git a/ext/standard/tests/serialize/unserialize_abstract_class.phpt b/ext/standard/tests/serialize/unserialize_abstract_class.phpt

new file mode 100644 (file)

index 0000000..e835e50
--- /dev/null
+++ b/ext/standard/tests/serialize/unserialize_abstract_class.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Unserializing an abstract class should fail
+--FILE--
+<?php
+
+$payload = 'O:23:"RecursiveFilterIterator":0:{}';
+try {
+    var_dump(unserialize($payload));
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Cannot instantiate abstract class RecursiveFilterIterator
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re

index ba425e692eca49d5da7f01510e534e2f8e17cd39..fcc68dc4312811b7c86e5622cc763b8f3e82b80f 100644 (file)
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -1144,7 +1144,11 @@ object ":" uiv ":" ["]   {
                 return 0;
         }
  
-       object_init_ex(rval, ce);
+       if (object_init_ex(rval, ce) == FAILURE) {
+               zend_string_release_ex(class_name, 0);
+               return 0;
+       }
+
         if (incomplete_class) {
                 php_store_class_name(rval, ZSTR_VAL(class_name), len2);
         }
author	Nikita Popov <nikita.ppv@gmail.com>
	Mon, 16 Sep 2019 11:52:52 +0000 (13:52 +0200)
committer	Nikita Popov <nikita.ppv@gmail.com>
	Mon, 16 Sep 2019 11:52:52 +0000 (13:52 +0200)
ext/standard/tests/serialize/unserialize_abstract_class.phpt	[new file with mode: 0644]	patch \| blob
ext/standard/var_unserializer.re		patch \| blob \| history