From: Dmitry Stogov <dmitry@php.net>
Date: Mon, 9 Jul 2007 14:31:56 +0000 (+0000)
Subject: Proper fix for MOPB-29
X-Git-Tag: php-5.2.4RC1~207
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=fe9a8266053de5e04468d2e276fbd277978dc1ef;p=php

Proper fix for MOPB-29
---

diff --git a/ext/standard/tests/serialize/unserializeS.phpt b/ext/standard/tests/serialize/unserializeS.phpt
index 8516f7183e..897208bb59 100755
--- a/ext/standard/tests/serialize/unserializeS.phpt
+++ b/ext/standard/tests/serialize/unserializeS.phpt
@@ -11,4 +11,4 @@ $data = unserialize($str);
 var_dump($data);
 
 --EXPECT--
-string(100) "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+bool(false)
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index c431f53b0a..3cadea7d29 100644
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -140,18 +140,22 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
 
 /* }}} */
 
-static char *unserialize_str(const unsigned char **p, size_t *len)
+static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen)
 {
 	size_t i, j;
 	char *str = safe_emalloc(*len, 1, 1);
-	unsigned char *end = *(unsigned char **)p+*len;
+	unsigned char *end = *(unsigned char **)p+maxlen;
 
 	if(end < *p) {
 		efree(str);
 		return NULL;
 	}
 
-	for (i = 0; i < *len && *p < end; i++) {
+	for (i = 0; i < *len; i++) {
+		if (*p >= end) {
+			efree(str);
+			return NULL;
+		}
 		if (**p != '\\') {
 			str[i] = (char)**p;
 		} else {
@@ -757,7 +761,7 @@ yy41:
 		return 0;
 	}
 
-	if ((str = unserialize_str(&YYCURSOR, &len)) == NULL) {
+	if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) {
 		return 0;
 	}
 
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 59f755c548..b5a0e0b03c 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -138,18 +138,22 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
 
 /* }}} */
 
-static char *unserialize_str(const unsigned char **p, size_t *len)
+static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen)
 {
 	size_t i, j;
 	char *str = safe_emalloc(*len, 1, 1);
-	unsigned char *end = *(unsigned char **)p+*len;
+	unsigned char *end = *(unsigned char **)p+maxlen;
 
 	if(end < *p) {
 		efree(str);
 		return NULL;
 	}
 
-	for (i = 0; i < *len && *p < end; i++) {
+	for (i = 0; i < *len; i++) {
+		if (*p >= end) {
+			efree(str);
+			return NULL;
+		}
 		if (**p != '\\') {
 			str[i] = (char)**p;
 		} else {
@@ -525,7 +529,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 		return 0;
 	}
 
-	if ((str = unserialize_str(&YYCURSOR, &len)) == NULL) {
+	if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) {
 		return 0;
 	}