Fixed bug #37947 (zend_ptr_stack reallocation problem)

diff --git a/NEWS b/NEWS
index 6c717876e8f6f637bcc51019f5e0436eceed7fac..9c82673f9acd18c41c3de5370074fd87fa8ce5f2 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -90,6 +90,7 @@ PHP                                                                        NEWS
 - Fixed bug #38003 (in classes inherited from MySQLi it's possible to call 
   private constructors from invalid context). (Tony)
 - Fixed bug #37987 (invalid return of file_exists() in safe mode). (Ilia)
+- Fixed bug #37947 (zend_ptr_stack reallocation problem). (Dmitry)
 - Fixed bug #37931 (possible crash in OCI8 after database restart 
   when using persistent connections). (Tony)
 - Fixed bug #37920 (compilation problems on z/OS). (Tony)

diff --git a/ext/standard/tests/serialize/bug37947.phpt b/ext/standard/tests/serialize/bug37947.phpt
new file mode 100755 (executable)
index 0000000..7b106cb
--- /dev/null
+++ b/ext/standard/tests/serialize/bug37947.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #37947 (zend_ptr_stack reallocation problem)
+--INI--
+error_reporting=0
+--FILE--
+<?
+class test {
+        function extend_zend_ptr_stack($count,$a,$b,$c,$d,$e) {
+                if ($count>0) $this->extend_zend_ptr_stack($count -
+1,$a,$b,$c,$d,$e);
+        }
+
+        function __wakeup() {
+                $this->extend_zend_ptr_stack(10,'a','b','c','d','e');
+        }
+}
+
+$str='a:2:{i:0;O:4:"test":0:{}junk';
+var_dump(unserialize($str));
+--EXPECT--
+bool(false)

diff --git a/ext/standard/var.c b/ext/standard/var.c
index db9fd604735f9d9eecf1e9b3a7d1b23ee6afc136..7a810138891fbf8415c4c902d4d5a0a5c397ebd9 100644 (file)
--- a/ext/standard/var.c
+++ b/ext/standard/var.c
@@ -881,32 +881,28 @@ PHP_FUNCTION(serialize)
 
 PHP_FUNCTION(unserialize)
 {
-       zval **buf;
+       char *buf;
+       int buf_len;
+       const unsigned char *p;
        php_unserialize_data_t var_hash;
        
-       if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &buf) == FAILURE) {
-               WRONG_PARAM_COUNT;
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
+               RETURN_FALSE;
        }
 
-       if (Z_TYPE_PP(buf) == IS_STRING) {
-               const unsigned char *p = (unsigned char*)Z_STRVAL_PP(buf);
-
-               if (Z_STRLEN_PP(buf) == 0) {
-                       RETURN_FALSE;
-               }
+       if (buf_len == 0) {
+               RETURN_FALSE;
+       }
 
-               PHP_VAR_UNSERIALIZE_INIT(var_hash);
-               if (!php_var_unserialize(&return_value, &p, p + Z_STRLEN_PP(buf),  &var_hash TSRMLS_CC)) {
-                       PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
-                       zval_dtor(return_value);
-                       php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Error at offset %ld of %d bytes", (long)((char*)p - Z_STRVAL_PP(buf)), Z_STRLEN_PP(buf));
-                       RETURN_FALSE;
-               }
+       p = (const unsigned char*)buf;
+       PHP_VAR_UNSERIALIZE_INIT(var_hash);
+       if (!php_var_unserialize(&return_value, &p, p + buf_len,  &var_hash TSRMLS_CC)) {
                PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
-       } else {
-               php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Argument is not a string");
+               zval_dtor(return_value);
+               php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len);
                RETURN_FALSE;
        }
+       PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
 }
 
 /* }}} */