{
long elements;
+ if( *p >= max - 2) {
+ zend_error(E_WARNING, "Bad unserialize data");
+ return -1;
+ }
+
elements = parse_iv2((*p) + 2, p);
(*p) += 2;
/* If this class implements Serializable, it should not land here but in object_custom(). The passed string
obviously doesn't descend from the regular serializer. */
zend_error(E_WARNING, "Erroneous data format for unserializing '%s'", ce->name);
- return 0;
+ return -1;
}
return elements;
-#line 496 "ext/standard/var_unserializer.c"
+#line 501 "ext/standard/var_unserializer.c"
{
YYCTYPE yych;
static const unsigned char yybm[] = {
yych = *(YYMARKER = ++YYCURSOR);
if (yych == ':') goto yy95;
yy3:
-#line 861 "ext/standard/var_unserializer.re"
+#line 875 "ext/standard/var_unserializer.re"
{ return 0; }
-#line 558 "ext/standard/var_unserializer.c"
+#line 563 "ext/standard/var_unserializer.c"
yy4:
yych = *(YYMARKER = ++YYCURSOR);
if (yych == ':') goto yy89;
goto yy3;
yy14:
++YYCURSOR;
-#line 855 "ext/standard/var_unserializer.re"
+#line 869 "ext/standard/var_unserializer.re"
{
/* this is the case where we have less data than planned */
php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
return 0; /* not sure if it should be 0 or 1 here? */
}
-#line 607 "ext/standard/var_unserializer.c"
+#line 612 "ext/standard/var_unserializer.c"
yy16:
yych = *++YYCURSOR;
goto yy3;
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 708 "ext/standard/var_unserializer.re"
+#line 717 "ext/standard/var_unserializer.re"
{
size_t len, len2, len3, maxlen;
long elements;
elements = object_common1(UNSERIALIZE_PASSTHRU, ce);
+ if (elements < 0) {
+ efree(class_name);
+ return 0;
+ }
+
if (incomplete_class) {
php_store_class_name(*rval, class_name, len2);
}
return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
-#line 785 "ext/standard/var_unserializer.c"
+#line 795 "ext/standard/var_unserializer.c"
yy25:
yych = *++YYCURSOR;
if (yych <= ',') {
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 699 "ext/standard/var_unserializer.re"
+#line 704 "ext/standard/var_unserializer.re"
{
+ long elements;
if (!var_hash) return 0;
INIT_PZVAL(*rval);
- return object_common2(UNSERIALIZE_PASSTHRU,
- object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
+ elements = object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR);
+ if (elements < 0) {
+ return 0;
+ }
+ return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
-#line 819 "ext/standard/var_unserializer.c"
+#line 833 "ext/standard/var_unserializer.c"
yy32:
yych = *++YYCURSOR;
if (yych == '+') goto yy33;
yych = *++YYCURSOR;
if (yych != '{') goto yy18;
++YYCURSOR;
-#line 678 "ext/standard/var_unserializer.re"
+#line 683 "ext/standard/var_unserializer.re"
{
long elements = parse_iv(start + 2);
/* use iv() not uiv() in order to check data range */
return finish_nested_data(UNSERIALIZE_PASSTHRU);
}
-#line 861 "ext/standard/var_unserializer.c"
+#line 875 "ext/standard/var_unserializer.c"
yy39:
yych = *++YYCURSOR;
if (yych == '+') goto yy40;
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 643 "ext/standard/var_unserializer.re"
+#line 648 "ext/standard/var_unserializer.re"
{
size_t len, maxlen;
char *str;
ZVAL_STRINGL(*rval, str, len, 0);
return 1;
}
-#line 917 "ext/standard/var_unserializer.c"
+#line 931 "ext/standard/var_unserializer.c"
yy46:
yych = *++YYCURSOR;
if (yych == '+') goto yy47;
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 610 "ext/standard/var_unserializer.re"
+#line 615 "ext/standard/var_unserializer.re"
{
size_t len, maxlen;
char *str;
ZVAL_STRINGL(*rval, str, len, 1);
return 1;
}
-#line 971 "ext/standard/var_unserializer.c"
+#line 985 "ext/standard/var_unserializer.c"
yy53:
yych = *++YYCURSOR;
if (yych <= '/') {
}
yy63:
++YYCURSOR;
-#line 600 "ext/standard/var_unserializer.re"
+#line 605 "ext/standard/var_unserializer.re"
{
#if SIZEOF_LONG == 4
use_double:
ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
return 1;
}
-#line 1069 "ext/standard/var_unserializer.c"
+#line 1083 "ext/standard/var_unserializer.c"
yy65:
yych = *++YYCURSOR;
if (yych <= ',') {
yych = *++YYCURSOR;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 585 "ext/standard/var_unserializer.re"
+#line 590 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
return 1;
}
-#line 1143 "ext/standard/var_unserializer.c"
+#line 1157 "ext/standard/var_unserializer.c"
yy76:
yych = *++YYCURSOR;
if (yych == 'N') goto yy73;
if (yych <= '9') goto yy79;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 558 "ext/standard/var_unserializer.re"
+#line 563 "ext/standard/var_unserializer.re"
{
#if SIZEOF_LONG == 4
int digits = YYCURSOR - start - 3;
ZVAL_LONG(*rval, parse_iv(start + 2));
return 1;
}
-#line 1197 "ext/standard/var_unserializer.c"
+#line 1211 "ext/standard/var_unserializer.c"
yy83:
yych = *++YYCURSOR;
if (yych <= '/') goto yy18;
yych = *++YYCURSOR;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 551 "ext/standard/var_unserializer.re"
+#line 556 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
ZVAL_BOOL(*rval, parse_iv(start + 2));
return 1;
}
-#line 1212 "ext/standard/var_unserializer.c"
+#line 1226 "ext/standard/var_unserializer.c"
yy87:
++YYCURSOR;
-#line 544 "ext/standard/var_unserializer.re"
+#line 549 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
ZVAL_NULL(*rval);
return 1;
}
-#line 1222 "ext/standard/var_unserializer.c"
+#line 1236 "ext/standard/var_unserializer.c"
yy89:
yych = *++YYCURSOR;
if (yych <= ',') {
if (yych <= '9') goto yy91;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 521 "ext/standard/var_unserializer.re"
+#line 526 "ext/standard/var_unserializer.re"
{
long id;
return 1;
}
-#line 1268 "ext/standard/var_unserializer.c"
+#line 1282 "ext/standard/var_unserializer.c"
yy95:
yych = *++YYCURSOR;
if (yych <= ',') {
if (yych <= '9') goto yy97;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 500 "ext/standard/var_unserializer.re"
+#line 505 "ext/standard/var_unserializer.re"
{
long id;
return 1;
}
-#line 1312 "ext/standard/var_unserializer.c"
+#line 1326 "ext/standard/var_unserializer.c"
}
-#line 863 "ext/standard/var_unserializer.re"
+#line 877 "ext/standard/var_unserializer.re"
return 0;
projects / php / commitdiff