From: foobar Date: Wed, 3 Sep 2003 16:26:42 +0000 (+0000) Subject: MFH: - Fixed bug #25378 (Invalid data passed to unserialize() causes segfault) X-Git-Tag: php-4.3.4RC1~109 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d20b3d0ed5ebffe8f8ad08859b651de3e066a132;p=php MFH: - Fixed bug #25378 (Invalid data passed to unserialize() causes segfault) --- diff --git a/NEWS b/NEWS index 58e431178e..8f8d96d024 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,7 @@ PHP 4 NEWS - Fixed crash bug when non-existing save/serializer handler was used. (Jani) - Fixed memory leak in gethostbynamel() if an error occurs. (Sara) - Fixed FastCGI being unable to bind to a specific IP. (Sascha) +- Fixed bug #25378 (unserialize() crashes with invalid data). (Jani) - Fixed bug #25372 (sscanf() does not work with %X). (Jani) - Fixed bug #25348 ("make install" fails with --enable-short-tags). (Jani) - Fixed bug #25343 (is_dir() gives warning on FreeBSD). (Jani) diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index 8ad0985619..efdbdac5ef 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -90,6 +90,7 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_hashx) /*!re2c +uiv = [+]? [0-9]+; iv = [+-]? [0-9]+; nv = [+-]? ([0-9]* "." [0-9]+|[0-9]+ "." [0-9]*); nvexp = (iv | nv) [eE] [+-]? iv; @@ -281,7 +282,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER) return 1; } -"s:" iv ":" ["] { +"s:" uiv ":" ["] { int len; char *str; @@ -301,7 +302,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER) return 1; } -"a:" iv ":" "{" { +"a:" uiv ":" "{" { int elements = parse_iv(start + 2); *p = YYCURSOR; @@ -327,7 +328,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER) object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR)); } -"O:" iv ":" ["] { +"O:" uiv ":" ["] { int len; int elements; int len2;