Fix bug #67492: unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion

author Stanislav Malyshev <stas@php.net>

Sun, 22 Jun 2014 02:46:16 +0000 (19:46 -0700)

committer Stanislav Malyshev <stas@php.net>

Fri, 18 Jul 2014 23:31:59 +0000 (16:31 -0700)
author Stanislav Malyshev <stas@php.net>
Sun, 22 Jun 2014 02:46:16 +0000 (19:46 -0700)
committer Stanislav Malyshev <stas@php.net>
Fri, 18 Jul 2014 23:31:59 +0000 (16:31 -0700)
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c

index f2f3f1c61b51036612f52c0619c73fa3e4308227..312beaa0084d1230c4d336813e4d8f1f6307143f 100644 (file)
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1816,7 +1816,7 @@ void spl_array_unserialize_helper(spl_array_object *intern, const unsigned char
         ++p;
  
         ALLOC_INIT_ZVAL(pmembers);
-       if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC)) {
+       if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
                 zval_ptr_dtor(&pmembers);
                 goto outexcept;
         }
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c

index 876efea6889f24e6d030fed3f91d6c8504ab0a0a..1a491e1f48a97f2a6138d9048b72205f0e858ba3 100644 (file)
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -801,7 +801,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
         ++p;
  
         ALLOC_INIT_ZVAL(pmembers);
-       if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+       if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
                 zval_ptr_dtor(&pmembers);
                 goto outexcept;
         }
diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt

index 9e3f3605b7774f23edf69fda0092f104eb902db5..4adfa6f7b4cbbc9e611df501fe9619f5b0174325 100644 (file)
--- a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
+++ b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
@@ -5,8 +5,9 @@ SPL: Test that serialized blob contains unique elements (CVE-2010-2225)
  
  $badblobs = array(
  'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
-'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
-'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',
  );
  foreach($badblobs as $blob) {
  try {
@@ -17,6 +18,7 @@ try {
         echo $e->getMessage()."\n";
  }
  }
+echo "DONE\n";
  --EXPECTF--
  Error at offset 6 of 34 bytes
  Error at offset 46 of 89 bytes
@@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) {
      }
    }
  }
-
+Error at offset 79 of 78 bytes
+DONE
author	Stanislav Malyshev <stas@php.net>
	Sun, 22 Jun 2014 02:46:16 +0000 (19:46 -0700)
committer	Stanislav Malyshev <stas@php.net>
	Fri, 18 Jul 2014 23:31:59 +0000 (16:31 -0700)
ext/spl/spl_array.c		patch \| blob \| history
ext/spl/spl_observer.c		patch \| blob \| history
ext/spl/tests/SplObjectStorage_unserialize_bad.phpt		patch \| blob \| history