]> granicus.if.org Git - php/commitdiff
Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object...
authorStanislav Malyshev <stas@php.net>
Tue, 11 Oct 2016 05:54:29 +0000 (22:54 -0700)
committerAnatol Belski <ab@php.net>
Thu, 13 Oct 2016 23:36:57 +0000 (01:36 +0200)
(cherry picked from commit 61cdd1255d5b9c8453be71aacbbf682796ac77d4)

ext/spl/spl_observer.c

index 4ad0c6d15e668b4efc514007cc266eb571d4527e..b94ab401cff9b3043f7c71c90a4919eb237198c9 100644 (file)
@@ -788,6 +788,9 @@ SPL_METHOD(SplObjectStorage, unserialize)
        --p; /* for ';' */
        count = Z_LVAL_P(pcount);
 
+       ZVAL_UNDEF(&entry);
+       ZVAL_UNDEF(&inf);
+
        while (count-- > 0) {
                spl_SplObjectStorageElement *pelement;
                zend_hash_key key;
@@ -803,18 +806,17 @@ SPL_METHOD(SplObjectStorage, unserialize)
                if (!php_var_unserialize(&entry, &p, s + buf_len, &var_hash)) {
                        goto outexcept;
                }
-               if (Z_TYPE(entry) != IS_OBJECT) {
-                       zval_ptr_dtor(&entry);
-                       goto outexcept;
-               }
                if (*p == ',') { /* new version has inf */
                        ++p;
                        if (!php_var_unserialize(&inf, &p, s + buf_len, &var_hash)) {
                                zval_ptr_dtor(&entry);
                                goto outexcept;
                        }
-               } else {
-                       ZVAL_UNDEF(&inf);
+               }
+               if (Z_TYPE(entry) != IS_OBJECT) {
+                       zval_ptr_dtor(&entry);
+                       zval_ptr_dtor(&inf);
+                       goto outexcept;
                }
 
                if (spl_object_storage_get_hash(&key, intern, getThis(), &entry) == FAILURE) {