From: Michael Wallner <mike@php.net>
Date: Fri, 2 Dec 2011 11:50:22 +0000 (+0000)
Subject: Fixed bug #60240 (invalid read/writes when unserializing specially crafted strings)
X-Git-Tag: php-5.4.0RC3~37
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d8ca919da19cd547bb6af90cd3909603609aa348;p=php

Fixed bug #60240 (invalid read/writes when unserializing specially crafted strings)
---

diff --git a/NEWS b/NEWS
index 052d46d643..0dde31877f 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e).
     (php at mickweiss dot com)
+  . Fixed bug #60240 (invalid read/writes when unserializing specially crafted
+    strings). (Mike)
 
 - CLI SAPI:
   . Implement FR #60390 (Missing $_SERVER['SERVER_PORT']). (Pierre)
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index 2487a08a3c..419e2dd6f9 100755
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -836,13 +836,11 @@ SPL_METHOD(SplObjectStorage, unserialize)
 
 	ALLOC_INIT_ZVAL(pcount);
 	if (!php_var_unserialize(&pcount, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pcount) != IS_LONG) {
-		zval_ptr_dtor(&pcount);
 		goto outexcept;
 	}
 
 	--p; /* for ';' */
 	count = Z_LVAL_P(pcount);
-	zval_ptr_dtor(&pcount);
 		
 	while(count-- > 0) {
 		spl_SplObjectStorageElement *pelement;
@@ -920,11 +918,16 @@ SPL_METHOD(SplObjectStorage, unserialize)
 	zval_ptr_dtor(&pmembers);
 
 	/* done reading $serialized */
-
+	if (pcount) {
+		zval_ptr_dtor(&pcount);
+	}
 	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
 	return;
 
 outexcept:
+	if (pcount) {
+		zval_ptr_dtor(&pcount);
+	}
 	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
 	zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len);
 	return;
diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
index 00cd67ba9b..a525317093 100644
--- a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
+++ b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
@@ -5,8 +5,8 @@ SPL: Test that serialized blob contains unique elements (CVE-2010-2225)
 
 $badblobs = array(
 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
-'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
-'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
 );
 foreach($badblobs as $blob) {
 try {