From: Stanislav Malyshev Date: Sun, 28 Sep 2014 21:19:31 +0000 (-0700) Subject: Fixed bug #68044: Integer overflow in unserialize() (32-bits only) X-Git-Tag: POST_NATIVE_TLS_MERGE^2~73^2~5 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3eb679b952f4655f178cf576584ef172602325ab;p=php Fixed bug #68044: Integer overflow in unserialize() (32-bits only) --- diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt new file mode 100644 index 0000000000..031e44e149 --- /dev/null +++ b/ext/standard/tests/serialize/bug68044.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #68044 Integer overflow in unserialize() (32-bits only) +--FILE-- + +===DONE== +--EXPECTF-- +Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2 + +Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2 +===DONE== diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index c94f3eec58..9be2b0658a 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -386,7 +386,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) (*p) += 2; - if (datalen < 0 || (*p) + datalen >= max) { + if (datalen < 0 || (max - (*p)) <= datalen) { zend_error(E_WARNING, "Insufficient data for unserializing - %pd required, %pd present", datalen, (zend_long)(max - (*p))); return 0; } diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index a11f556f7e..1898c7734c 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -390,7 +390,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) (*p) += 2; - if (datalen < 0 || (*p) + datalen >= max) { + if (datalen < 0 || (max - (*p)) <= datalen) { zend_error(E_WARNING, "Insufficient data for unserializing - %pd required, %pd present", datalen, (zend_long)(max - (*p))); return 0; }