- Core:
. Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e).
(php at mickweiss dot com)
+ . Fixed bug #60240 (invalid read/writes when unserializing specially crafted
+ strings). (Mike)
- CLI SAPI:
. Implement FR #60390 (Missing $_SERVER['SERVER_PORT']). (Pierre)
ALLOC_INIT_ZVAL(pcount);
if (!php_var_unserialize(&pcount, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pcount) != IS_LONG) {
- zval_ptr_dtor(&pcount);
goto outexcept;
}
--p; /* for ';' */
count = Z_LVAL_P(pcount);
- zval_ptr_dtor(&pcount);
while(count-- > 0) {
spl_SplObjectStorageElement *pelement;
zval_ptr_dtor(&pmembers);
/* done reading $serialized */
-
+ if (pcount) {
+ zval_ptr_dtor(&pcount);
+ }
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
return;
outexcept:
+ if (pcount) {
+ zval_ptr_dtor(&pcount);
+ }
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len);
return;
$badblobs = array(
'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
-'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
-'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
);
foreach($badblobs as $blob) {
try {
projects / php / commitdiff