From: Dmitry Stogov <dmitry@php.net>
Date: Mon, 9 Jul 2007 14:33:37 +0000 (+0000)
Subject: Proper fix for MOPB-29
X-Git-Tag: BEFORE_IMPORT_OF_MYSQLND~288
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d71bcb658c1d74998778c1a4e6fb1f057882908b;p=php

Proper fix for MOPB-29
---

diff --git a/ext/standard/tests/serialize/unserializeS.phpt b/ext/standard/tests/serialize/unserializeS.phpt
index 8516f7183e..897208bb59 100755
--- a/ext/standard/tests/serialize/unserializeS.phpt
+++ b/ext/standard/tests/serialize/unserializeS.phpt
@@ -11,4 +11,4 @@ $data = unserialize($str);
 var_dump($data);
 
 --EXPECT--
-string(100) "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+bool(false)
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index cfb031ff0e..68485be65c 100644
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -112,18 +112,22 @@ static UChar *unserialize_ustr(const unsigned char **p, int len)
 	return ustr;
 }
 
-static char *unserialize_str(const unsigned char **p, int *len)
+static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen)
 {
 	size_t i, j;
 	char *str = safe_emalloc(*len, 1, 1);
-	unsigned char *end = *(unsigned char **)p+*len;
+	unsigned char *end = *(unsigned char **)p+maxlen;
 
 	if(end < *p) {
 		efree(str);
 		return NULL;
 	}
 
-	for (i = 0; i < *len && *p < end; i++) {
+	for (i = 0; i < *len; i++) {
+		if (*p >= end) {
+			efree(str);
+			return NULL;
+		}
 		if (**p != '\\') {
 			str[i] = (char)**p;
 		} else {
@@ -142,7 +146,6 @@ static char *unserialize_str(const unsigned char **p, int *len)
 					return NULL;
 				}
 			}
-			end += 2;
 			str[i] = (char)ch;
 		}
 		(*p)++;
@@ -866,7 +869,7 @@ yy49:
 		return 0;
 	}
 
-	if ((str = unserialize_str(&YYCURSOR, &len)) == NULL) {
+	if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) {
 		return 0;
 	}
 
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 9f8a028860..0486a90818 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -110,18 +110,22 @@ static UChar *unserialize_ustr(const unsigned char **p, int len)
 	return ustr;
 }
 
-static char *unserialize_str(const unsigned char **p, int *len)
+static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen)
 {
 	size_t i, j;
 	char *str = safe_emalloc(*len, 1, 1);
-	unsigned char *end = *(unsigned char **)p+*len;
+	unsigned char *end = *(unsigned char **)p+maxlen;
 
 	if(end < *p) {
 		efree(str);
 		return NULL;
 	}
 
-	for (i = 0; i < *len && *p < end; i++) {
+	for (i = 0; i < *len; i++) {
+		if (*p >= end) {
+			efree(str);
+			return NULL;
+		}
 		if (**p != '\\') {
 			str[i] = (char)**p;
 		} else {
@@ -140,7 +144,6 @@ static char *unserialize_str(const unsigned char **p, int *len)
 					return NULL;
 				}
 			}
-			end += 2;
 			str[i] = (char)ch;
 		}
 		(*p)++;
@@ -578,7 +581,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 		return 0;
 	}
 
-	if ((str = unserialize_str(&YYCURSOR, &len)) == NULL) {
+	if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) {
 		return 0;
 	}