Proper fix for MOPB-29

author Dmitry Stogov <dmitry@php.net>

Mon, 9 Jul 2007 14:31:56 +0000 (14:31 +0000)

committer Dmitry Stogov <dmitry@php.net>

Mon, 9 Jul 2007 14:31:56 +0000 (14:31 +0000)
author Dmitry Stogov <dmitry@php.net>
Mon, 9 Jul 2007 14:31:56 +0000 (14:31 +0000)
committer Dmitry Stogov <dmitry@php.net>
Mon, 9 Jul 2007 14:31:56 +0000 (14:31 +0000)
diff --git a/ext/standard/tests/serialize/unserializeS.phpt b/ext/standard/tests/serialize/unserializeS.phpt

index 8516f7183ef4737ac2ac196d53c1892f02a265df..897208bb597fdf8775c11c306441fb23ab502c67 100755 (executable)
--- a/ext/standard/tests/serialize/unserializeS.phpt
+++ b/ext/standard/tests/serialize/unserializeS.phpt
@@ -11,4 +11,4 @@ $data = unserialize($str);
  var_dump($data);
  
  --EXPECT--
-string(100) "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+bool(false)
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c

index c431f53b0a14c2a14eb6ae907f236533761033f7..3cadea7d29e2cba7dda437b5e4336fbfe3a61b61 100644 (file)
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -140,18 +140,22 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
  
  /* }}} */
  
-static char *unserialize_str(const unsigned char **p, size_t *len)
+static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen)
  {
         size_t i, j;
         char *str = safe_emalloc(*len, 1, 1);
-       unsigned char *end = *(unsigned char **)p+*len;
+       unsigned char *end = *(unsigned char **)p+maxlen;
  
         if(end < *p) {
                 efree(str);
                 return NULL;
         }
  
-       for (i = 0; i < *len && *p < end; i++) {
+       for (i = 0; i < *len; i++) {
+               if (*p >= end) {
+                       efree(str);
+                       return NULL;
+               }
                 if (**p != '\\') {
                         str[i] = (char)**p;
                 } else {
@@ -757,7 +761,7 @@ yy41:
                 return 0;
         }
  
-       if ((str = unserialize_str(&YYCURSOR, &len)) == NULL) {
+       if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) {
                 return 0;
         }
  
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re

index 59f755c5487e82daff7888acfd7318531fc72819..b5a0e0b03c1a33e1f0d95b9e01d0406590442de8 100644 (file)
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -138,18 +138,22 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
  
  /* }}} */
  
-static char *unserialize_str(const unsigned char **p, size_t *len)
+static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen)
  {
         size_t i, j;
         char *str = safe_emalloc(*len, 1, 1);
-       unsigned char *end = *(unsigned char **)p+*len;
+       unsigned char *end = *(unsigned char **)p+maxlen;
  
         if(end < *p) {
                 efree(str);
                 return NULL;
         }
  
-       for (i = 0; i < *len && *p < end; i++) {
+       for (i = 0; i < *len; i++) {
+               if (*p >= end) {
+                       efree(str);
+                       return NULL;
+               }
                 if (**p != '\\') {
                         str[i] = (char)**p;
                 } else {
@@ -525,7 +529,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
                 return 0;
         }
  
-       if ((str = unserialize_str(&YYCURSOR, &len)) == NULL) {
+       if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) {
                 return 0;
         }
author	Dmitry Stogov <dmitry@php.net>
	Mon, 9 Jul 2007 14:31:56 +0000 (14:31 +0000)
committer	Dmitry Stogov <dmitry@php.net>
	Mon, 9 Jul 2007 14:31:56 +0000 (14:31 +0000)
ext/standard/tests/serialize/unserializeS.phpt		patch \| blob \| history
ext/standard/var_unserializer.c		patch \| blob \| history
ext/standard/var_unserializer.re		patch \| blob \| history