]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2142d78)
Fixed bug #68044: Integer overflow in unserialize() (32-bits only)
authorStanislav Malyshev <stas@php.net>
Sun, 28 Sep 2014 21:19:31 +0000 (14:19 -0700)
committerStanislav Malyshev <stas@php.net>
Tue, 14 Oct 2014 17:44:57 +0000 (10:44 -0700)
ext/standard/tests/serialize/bug68044.phpt [new file with mode: 0644] patch | blob
ext/standard/var_unserializer.c patch | blob | history
ext/standard/var_unserializer.re patch | blob | history

diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt
new file mode 100644 (file)
index 0000000..031e44e
--- /dev/null
+++ b/ext/standard/tests/serialize/bug68044.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #68044 Integer overflow in unserialize() (32-bits only)
+--FILE--
+<?php
+       echo unserialize('C:3:"XYZ":18446744075857035259:{}');
+?>
+===DONE==
+--EXPECTF--
+Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2
+
+Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2
+===DONE==
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index 8b5392a9d7abdf21ad2110c6172f1b8041dab7c6..8b51a20acedf3dccaf38b9e605e32e2dbcf1cefb 100644 (file)
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -1,4 +1,4 @@
-/* Generated by re2c 0.13.5 on Fri Apr 18 15:07:27 2014 */
+/* Generated by re2c 0.13.5 */
 #line 1 "ext/standard/var_unserializer.re"
 /*
   +----------------------------------------------------------------------+
@@ -371,7 +371,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
 
        (*p) += 2;
 
-       if (datalen < 0 || (*p) + datalen >= max) {
+       if (datalen < 0 || (max - (*p)) <= datalen) {
                zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
                return 0;
        }
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 3a1b91095386a5110ecf36959c97b0f5c5a134de..ef553ffb538c1a19377e1cf95223cbfcd15e3f36 100644 (file)
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -375,7 +375,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
 
        (*p) += 2;
 
-       if (datalen < 0 || (*p) + datalen >= max) {
+       if (datalen < 0 || (max - (*p)) <= datalen) {
                zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
                return 0;
        }
Unnamed repository; edit this file 'description' to name the repository.