Proper fix for MOPB-29

diff --git a/ext/standard/tests/serialize/unserializeS.phpt b/ext/standard/tests/serialize/unserializeS.phpt
index 8516f7183ef4737ac2ac196d53c1892f02a265df..897208bb597fdf8775c11c306441fb23ab502c67 100755 (executable)
--- a/ext/standard/tests/serialize/unserializeS.phpt
+++ b/ext/standard/tests/serialize/unserializeS.phpt
@@ -11,4 +11,4 @@ $data = unserialize($str);
 var_dump($data);
 
 --EXPECT--
-string(100) "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+bool(false)

diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index cfb031ff0ee485c7ca13f4e530ea505b11ebb0be..68485be65c2299a9ce54b66a74c551ed62af0c54 100644 (file)
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -112,18 +112,22 @@ static UChar *unserialize_ustr(const unsigned char **p, int len)
        return ustr;
 }
 
-static char *unserialize_str(const unsigned char **p, int *len)
+static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen)
 {
        size_t i, j;
        char *str = safe_emalloc(*len, 1, 1);
-       unsigned char *end = *(unsigned char **)p+*len;
+       unsigned char *end = *(unsigned char **)p+maxlen;
 
        if(end < *p) {
                efree(str);
                return NULL;
        }
 
-       for (i = 0; i < *len && *p < end; i++) {
+       for (i = 0; i < *len; i++) {
+               if (*p >= end) {
+                       efree(str);
+                       return NULL;
+               }
                if (**p != '\\') {
                        str[i] = (char)**p;
                } else {
@@ -142,7 +146,6 @@ static char *unserialize_str(const unsigned char **p, int *len)
                                        return NULL;
                                }
                        }
-                       end += 2;
                        str[i] = (char)ch;
                }
                (*p)++;
@@ -866,7 +869,7 @@ yy49:
                return 0;
        }
 
-       if ((str = unserialize_str(&YYCURSOR, &len)) == NULL) {
+       if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) {
                return 0;
        }
 

diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 9f8a0288606e394cb46002bde0acfe77b206ca99..0486a90818e2d495972ade0416f82eb7aed53c18 100644 (file)
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -110,18 +110,22 @@ static UChar *unserialize_ustr(const unsigned char **p, int len)
        return ustr;
 }
 
-static char *unserialize_str(const unsigned char **p, int *len)
+static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen)
 {
        size_t i, j;
        char *str = safe_emalloc(*len, 1, 1);
-       unsigned char *end = *(unsigned char **)p+*len;
+       unsigned char *end = *(unsigned char **)p+maxlen;
 
        if(end < *p) {
                efree(str);
                return NULL;
        }
 
-       for (i = 0; i < *len && *p < end; i++) {
+       for (i = 0; i < *len; i++) {
+               if (*p >= end) {
+                       efree(str);
+                       return NULL;
+               }
                if (**p != '\\') {
                        str[i] = (char)**p;
                } else {
@@ -140,7 +144,6 @@ static char *unserialize_str(const unsigned char **p, int *len)
                                        return NULL;
                                }
                        }
-                       end += 2;
                        str[i] = (char)ch;
                }
                (*p)++;
@@ -578,7 +581,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
                return 0;
        }
 
-       if ((str = unserialize_str(&YYCURSOR, &len)) == NULL) {
+       if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) {
                return 0;
        }