From: Dmitry Stogov <dmitry@php.net>
Date: Wed, 10 Aug 2005 06:37:19 +0000 (+0000)
Subject: Fixed bug #34045 (Buffer overflow with serialized object)
X-Git-Tag: php-5.1.0RC1~34
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f0f1557998eca83a24f703338e49feb7411c8c5c;p=php

Fixed bug #34045 (Buffer overflow with serialized object)
---

diff --git a/NEWS b/NEWS
index fd08624c83..04d8ca8d53 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,7 @@ PHP                                                                        NEWS
 - Fixed "make test" to work for phpized extensions. (Hartmut, Jani)
 - Fixed failing queries (FALSE returned) with mysqli_query() on 64 bit systems.
   (Andrey)
+- Fixed bug #34045 (Buffer overflow with serialized object). (Dmitry)
 - Fixed bug #33999 (object remains object when cast to int). (Dmitry)
 - Fixed bug #33996 (No information given for fatal error on passing invalid
   value to typed argument). (Dmitry)
diff --git a/Zend/tests/bug34045.phpt b/Zend/tests/bug34045.phpt
new file mode 100755
index 0000000000..61886cf354
--- /dev/null
+++ b/Zend/tests/bug34045.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Bug #34045 (Buffer overflow with serialized object)
+--FILE--
+<?php
+class BasicSingleton
+{
+    private static $instance;
+
+    public function __wakeup() {
+        self::$instance = $this;
+    }
+
+    public static function singleton() {
+        if (!(self::$instance instanceof BasicSingleton)) {
+            $c = __CLASS__;
+            self::$instance = new $c;
+        }
+        return self::$instance;
+    }
+}
+
+$db = BasicSingleton::singleton();
+$db_str = serialize($db);
+$db2 = unserialize($db_str);
+echo "ok\n";
+?>
+--EXPECT--
+ok
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 1dfc8164a1..92942b1593 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -1838,10 +1838,14 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY)
 		}
 
 		EG(current_execute_data) = EXECUTE_DATA;
+
+/*	We shouldn't fix bad extensions here,
+    because it can break proper ones (Bug #34045)
 		if (!EX(function_state).function->common.return_reference) {
 			EX_T(opline->result.u.var).var.ptr->is_ref = 0;
 			EX_T(opline->result.u.var).var.ptr->refcount = 1;
 		}
+*/
 		if (!return_value_used) {
 			zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
 		}
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 2b6662a150..d1f492836f 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -187,10 +187,14 @@ static int zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS)
 		}
 
 		EG(current_execute_data) = execute_data;
+
+/*	We shouldn't fix bad extensions here,
+    because it can break proper ones (Bug #34045)
 		if (!EX(function_state).function->common.return_reference) {
 			EX_T(opline->result.u.var).var.ptr->is_ref = 0;
 			EX_T(opline->result.u.var).var.ptr->refcount = 1;
 		}
+*/
 		if (!return_value_used) {
 			zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
 		}