From: Nikita Popov Date: Sun, 25 Jun 2017 17:48:17 +0000 (+0200) Subject: Fixed bug #73900 X-Git-Tag: php-7.0.22RC1~42 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2fddc4a7f1588239939a509781706c084939e09f;p=php Fixed bug #73900 --- diff --git a/NEWS b/NEWS index d0ddb656b0..58e7654de8 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,7 @@ PHP NEWS . Fixed bug #74780 (parse_url() borken when query string contains colon). (jhdxr) . Fixed bug #74761 (Unary operator expected error on some systems). (petk) + . Fixed bug #73900 (Use After Free in unserialize() SplFixedArray). (nikic) - SPL: . Fixed bug #73471 (PHP freezes with AppendIterator). (jhdxr) diff --git a/Zend/tests/bug73900.phpt b/Zend/tests/bug73900.phpt new file mode 100644 index 0000000000..fbd5b8604a --- /dev/null +++ b/Zend/tests/bug73900.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #73900: Use After Free in unserialize() SplFixedArray +--FILE-- + +--EXPECT-- +object(stdClass)#1 (0) { +} diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index a5d09f41e8..a4fb7ae10b 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -1758,16 +1758,9 @@ convert_to_array: zend_error(E_NOTICE, "Indirect modification of overloaded element of %s has no effect", ZSTR_VAL(ce->name)); } else if (EXPECTED(retval && Z_TYPE_P(retval) != IS_UNDEF)) { if (!Z_ISREF_P(retval)) { - if (Z_REFCOUNTED_P(retval) && - Z_REFCOUNT_P(retval) > 1) { - if (Z_TYPE_P(retval) != IS_OBJECT) { - Z_DELREF_P(retval); - ZVAL_DUP(result, retval); - retval = result; - } else { - ZVAL_COPY_VALUE(result, retval); - retval = result; - } + if (result != retval) { + ZVAL_COPY(result, retval); + retval = result; } if (Z_TYPE_P(retval) != IS_OBJECT) { zend_class_entry *ce = Z_OBJCE_P(container);