Fixed bug #34045 (Buffer overflow with serialized object)

diff --git a/NEWS b/NEWS
index fd08624c8396cc1879f12d105ec864ed30972feb..04d8ca8d5301b75034d77b061f6f509448518124 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,7 @@ PHP                                                                        NEWS
 - Fixed "make test" to work for phpized extensions. (Hartmut, Jani)
 - Fixed failing queries (FALSE returned) with mysqli_query() on 64 bit systems.
   (Andrey)
+- Fixed bug #34045 (Buffer overflow with serialized object). (Dmitry)
 - Fixed bug #33999 (object remains object when cast to int). (Dmitry)
 - Fixed bug #33996 (No information given for fatal error on passing invalid
   value to typed argument). (Dmitry)

diff --git a/Zend/tests/bug34045.phpt b/Zend/tests/bug34045.phpt
new file mode 100755 (executable)
index 0000000..61886cf
--- /dev/null
+++ b/Zend/tests/bug34045.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Bug #34045 (Buffer overflow with serialized object)
+--FILE--
+<?php
+class BasicSingleton
+{
+    private static $instance;
+
+    public function __wakeup() {
+        self::$instance = $this;
+    }
+
+    public static function singleton() {
+        if (!(self::$instance instanceof BasicSingleton)) {
+            $c = __CLASS__;
+            self::$instance = new $c;
+        }
+        return self::$instance;
+    }
+}
+
+$db = BasicSingleton::singleton();
+$db_str = serialize($db);
+$db2 = unserialize($db_str);
+echo "ok\n";
+?>
+--EXPECT--
+ok

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 1dfc8164a1df3ee032815e186b434beb025e292f..92942b1593b13a99b15fc67d3a3860f2a372b5e2 100644 (file)
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1838,10 +1838,14 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY)
                }
 
                EG(current_execute_data) = EXECUTE_DATA;
+
+/*     We shouldn't fix bad extensions here,
+    because it can break proper ones (Bug #34045)
                if (!EX(function_state).function->common.return_reference) {
                        EX_T(opline->result.u.var).var.ptr->is_ref = 0;
                        EX_T(opline->result.u.var).var.ptr->refcount = 1;
                }
+*/
                if (!return_value_used) {
                        zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
                }

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 2b6662a150dc7c0f8ccf2573cd682ac766c75a85..d1f492836f3bb17c48e040e9ca842124a46e19b8 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -187,10 +187,14 @@ static int zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS)
                }
 
                EG(current_execute_data) = execute_data;
+
+/*     We shouldn't fix bad extensions here,
+    because it can break proper ones (Bug #34045)
                if (!EX(function_state).function->common.return_reference) {
                        EX_T(opline->result.u.var).var.ptr->is_ref = 0;
                        EX_T(opline->result.u.var).var.ptr->refcount = 1;
                }
+*/
                if (!return_value_used) {
                        zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
                }