Fix signed integer overflow in SplObjectStorage unserialization

author Nikita Popov <nikita.ppv@gmail.com>

Mon, 23 Sep 2019 11:16:58 +0000 (13:16 +0200)

committer Nikita Popov <nikita.ppv@gmail.com>

Mon, 23 Sep 2019 11:18:27 +0000 (13:18 +0200)
author Nikita Popov <nikita.ppv@gmail.com>
Mon, 23 Sep 2019 11:16:58 +0000 (13:16 +0200)
committer Nikita Popov <nikita.ppv@gmail.com>
Mon, 23 Sep 2019 11:18:27 +0000 (13:18 +0200)
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c

index adf59128a160b226c0532be69d75ea5f3f33bf92..605a9234d1f7c4b79d66f5a5ec522e2c7be8a17a 100644 (file)
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -787,6 +787,9 @@ SPL_METHOD(SplObjectStorage, unserialize)
  
         --p; /* for ';' */
         count = Z_LVAL_P(pcount);
+       if (count < 0) {
+               goto outexcept;
+       }
  
         ZVAL_UNDEF(&entry);
         ZVAL_UNDEF(&inf);
diff --git a/ext/standard/tests/serialize/splobjectstorage_negative_count.phpt b/ext/standard/tests/serialize/splobjectstorage_negative_count.phpt

new file mode 100644 (file)

index 0000000..4dda491
--- /dev/null
+++ b/ext/standard/tests/serialize/splobjectstorage_negative_count.phpt
@@ -0,0 +1,15 @@
+--TEST--
+OSS-Fuzz: Unserializing SplObjectStorage with negative number of elements
+--FILE--
+<?php
+
+$str = 'C:16:"SplObjectStorage":25:{x:i:-9223372036854775808;}';
+try {
+    var_dump(unserialize($str));
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Error at offset 24 of 25 bytes
author	Nikita Popov <nikita.ppv@gmail.com>
	Mon, 23 Sep 2019 11:16:58 +0000 (13:16 +0200)
committer	Nikita Popov <nikita.ppv@gmail.com>
	Mon, 23 Sep 2019 11:18:27 +0000 (13:18 +0200)
ext/spl/spl_observer.c		patch \| blob \| history
ext/standard/tests/serialize/splobjectstorage_negative_count.phpt	[new file with mode: 0644]	patch \| blob