Fix leak in SplObjectStorage unserialization

The result of php_var_unserialize always needs to be destroyed,
even if the call failed.

diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index e4342a8788aef68d0d86137662846dc03a45122b..adf59128a160b226c0532be69d75ea5f3f33bf92 100644 (file)
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -804,12 +804,14 @@ SPL_METHOD(SplObjectStorage, unserialize)
                }
                /* store reference to allow cross-references between different elements */
                if (!php_var_unserialize(&entry, &p, s + buf_len, &var_hash)) {
+                       zval_ptr_dtor(&entry);
                        goto outexcept;
                }
                if (*p == ',') { /* new version has inf */
                        ++p;
                        if (!php_var_unserialize(&inf, &p, s + buf_len, &var_hash)) {
                                zval_ptr_dtor(&entry);
+                               zval_ptr_dtor(&inf);
                                goto outexcept;
                        }
                }

diff --git a/ext/standard/tests/serialize/unserialize_leak.phpt b/ext/standard/tests/serialize/unserialize_leak.phpt
new file mode 100644 (file)
index 0000000..383bcfc
--- /dev/null
+++ b/ext/standard/tests/serialize/unserialize_leak.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Unserialize leak in SplObjectStorage
+--FILE--
+<?php
+
+$payload = 'C:16:"SplObjectStorage":113:{x:i:2;O:8:"stdClass":1:{},a:2:{s:4:"prev";i:2;s:4:"next";O:8:"stdClass":0:{}};r:7;,R:2;s:4:"next";;r:3;};m:a:0:{}}';
+try {
+    var_dump(unserialize($payload));
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECTF--
+Notice: SplObjectStorage::unserialize(): Unexpected end of serialized data in %s on line %d
+Error at offset 24 of 113 bytes