MFH: - Fixed bug #25378 (Invalid data passed to unserialize() causes segfault)

diff --git a/NEWS b/NEWS
index 58e431178e02feaf1268be7e410d29ab91b3f523..8f8d96d024d10b6435ce1661d62628533093254a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ PHP 4                                                                      NEWS
 - Fixed crash bug when non-existing save/serializer handler was used. (Jani)
 - Fixed memory leak in gethostbynamel() if an error occurs. (Sara)
 - Fixed FastCGI being unable to bind to a specific IP. (Sascha)
+- Fixed bug #25378 (unserialize() crashes with invalid data). (Jani)
 - Fixed bug #25372 (sscanf() does not work with %X). (Jani)
 - Fixed bug #25348 ("make install" fails with --enable-short-tags). (Jani)
 - Fixed bug #25343 (is_dir() gives warning on FreeBSD). (Jani)

diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 8ad0985619e333483684bbf2f876b49c9152235c..efdbdac5ef160f6724c1fa1511d32dc4a19bc111 100644 (file)
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -90,6 +90,7 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
 
 
 /*!re2c
+uiv = [+]? [0-9]+;
 iv = [+-]? [0-9]+;
 nv = [+-]? ([0-9]* "." [0-9]+|[0-9]+ "." [0-9]*);
 nvexp = (iv | nv) [eE] [+-]? iv;
@@ -281,7 +282,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
        return 1;
 }
 
-"s:" iv ":" ["]        {
+"s:" uiv ":" ["]       {
        int len;
        char *str;
 
@@ -301,7 +302,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
        return 1;
 }
 
-"a:" iv ":" "{" {
+"a:" uiv ":" "{" {
        int elements = parse_iv(start + 2);
 
        *p = YYCURSOR;
@@ -327,7 +328,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
                        object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
 }
 
-"O:" iv ":" ["]        {
+"O:" uiv ":" ["]       {
        int len;
        int elements;
        int len2;