From 9f3362933ac55b700a0785fd505ea4676e6ed699 Mon Sep 17 00:00:00 2001 From: Sascha Schumann Date: Fri, 16 Nov 2001 16:34:14 +0000 Subject: [PATCH] Fix two incidents which have been reported about the new unserializer. #1: forgot to handle negative numbers #2: added zval_ptr_dtor which was not in the original code which might lead to crash PR: #14082 --- ext/standard/var_unserializer.c | 294 ++++++++++++++++++++----------- ext/standard/var_unserializer.re | 18 +- 2 files changed, 207 insertions(+), 105 deletions(-) diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index fe2fdcbf00..cbc00fbb19 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -1,4 +1,4 @@ -/* Generated by re2c 0.5 on Fri Nov 9 14:39:34 2001 */ +/* Generated by re2c 0.5 on Fri Nov 16 17:32:31 2001 */ #line 1 "/home/sas/src/php4/ext/standard/var_unserializer.re" #include "php.h" #include "ext/standard/php_var.h" @@ -100,7 +100,16 @@ static inline int parse_iv2(const char *p, const char **q) { char cursor; int result = 0; - + int neg = 0; + + switch (*p) { + case '-': + neg++; + /* fall-through */ + case '+': + p++; + } + while (1) { cursor = *p; if (cursor >= '0' && cursor <= '9') { @@ -111,6 +120,7 @@ static inline int parse_iv2(const char *p, const char **q) p++; } if (q) *q = p; + if (neg) return -result; return result; } @@ -167,7 +177,9 @@ static inline int finish_nested_data(UNSERIALIZE_PARAMETER) if (*((*p)++) == '}') return 1; +#if SOMETHING_NEW_MIGHT_LEAD_TO_CRASH_ENABLE_IF_YOU_ARE_BRAVE zval_ptr_dtor(rval); +#endif return 0; } @@ -258,7 +270,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER) goto yy0; yy1: ++YYCURSOR; yy0: - if((YYLIMIT - YYCURSOR) < 4) YYFILL(4); + if((YYLIMIT - YYCURSOR) < 5) YYFILL(5); yych = *YYCURSOR; if(yych <= 'c'){ if(yych <= 'Q'){ @@ -297,36 +309,36 @@ yy2: YYCURSOR = YYMARKER; } yy3: yyaccept = 0; yych = *(YYMARKER = ++YYCURSOR); - if(yych == ':') goto yy65; + if(yych == ':') goto yy73; yy4: -#line 356 +#line 368 { return 0; } yy5: yych = *++YYCURSOR; - if(yych == ';') goto yy63; + if(yych == ';') goto yy71; goto yy4; yy6: yyaccept = 0; yych = *(YYMARKER = ++YYCURSOR); - if(yych == ':') goto yy58; + if(yych == ':') goto yy65; goto yy4; yy7: yyaccept = 0; yych = *(YYMARKER = ++YYCURSOR); - if(yych == ':') goto yy53; + if(yych == ':') goto yy59; goto yy4; yy8: yyaccept = 0; yych = *(YYMARKER = ++YYCURSOR); - if(yych == ':') goto yy38; + if(yych == ':') goto yy42; goto yy4; yy9: yyaccept = 0; yych = *(YYMARKER = ++YYCURSOR); - if(yych == ':') goto yy32; + if(yych == ':') goto yy35; goto yy4; yy10: yyaccept = 0; yych = *(YYMARKER = ++YYCURSOR); - if(yych == ':') goto yy26; + if(yych == ':') goto yy28; goto yy4; yy11: yyaccept = 0; yych = *(YYMARKER = ++YYCURSOR); - if(yych == ':') goto yy20; + if(yych == ':') goto yy21; goto yy4; yy12: yyaccept = 0; yych = *(YYMARKER = ++YYCURSOR); @@ -335,18 +347,22 @@ yy12: yyaccept = 0; yy13: yych = *++YYCURSOR; goto yy4; yy14: yych = *++YYCURSOR; - if(yybm[0+yych] & 128) goto yy15; + if(yybm[0+yych] & 128) goto yy16; + if(yych == '+') goto yy15; + if(yych != '-') goto yy2; +yy15: yych = *++YYCURSOR; + if(yybm[0+yych] & 128) goto yy16; goto yy2; -yy15: ++YYCURSOR; +yy16: ++YYCURSOR; if(YYLIMIT == YYCURSOR) YYFILL(1); yych = *YYCURSOR; -yy16: if(yybm[0+yych] & 128) goto yy15; +yy17: if(yybm[0+yych] & 128) goto yy16; if(yych != ':') goto yy2; -yy17: yych = *++YYCURSOR; - if(yych != '"') goto yy2; yy18: yych = *++YYCURSOR; -yy19: -#line 317 + if(yych != '"') goto yy2; +yy19: yych = *++YYCURSOR; +yy20: +#line 329 { int len; int elements; @@ -385,20 +401,29 @@ yy19: return object_common2(UNSERIALIZE_PASSTHRU, elements); } -yy20: yych = *++YYCURSOR; +yy21: yych = *++YYCURSOR; + if(yych <= ','){ + if(yych != '+') goto yy2; + } else { + if(yych <= '-') goto yy22; + if(yych <= '/') goto yy2; + if(yych <= '9') goto yy23; + goto yy2; + } +yy22: yych = *++YYCURSOR; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; -yy21: ++YYCURSOR; +yy23: ++YYCURSOR; if(YYLIMIT == YYCURSOR) YYFILL(1); yych = *YYCURSOR; -yy22: if(yych <= '/') goto yy2; - if(yych <= '9') goto yy21; +yy24: if(yych <= '/') goto yy2; + if(yych <= '9') goto yy23; if(yych >= ';') goto yy2; -yy23: yych = *++YYCURSOR; +yy25: yych = *++YYCURSOR; if(yych != '"') goto yy2; -yy24: yych = *++YYCURSOR; -yy25: -#line 309 +yy26: yych = *++YYCURSOR; +yy27: +#line 321 { INIT_PZVAL(*rval); @@ -406,20 +431,29 @@ yy25: return object_common2(UNSERIALIZE_PASSTHRU, object_common1(UNSERIALIZE_PASSTHRU, &zend_standard_class_def)); } -yy26: yych = *++YYCURSOR; +yy28: yych = *++YYCURSOR; + if(yych <= ','){ + if(yych != '+') goto yy2; + } else { + if(yych <= '-') goto yy29; + if(yych <= '/') goto yy2; + if(yych <= '9') goto yy30; + goto yy2; + } +yy29: yych = *++YYCURSOR; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; -yy27: ++YYCURSOR; +yy30: ++YYCURSOR; if(YYLIMIT == YYCURSOR) YYFILL(1); yych = *YYCURSOR; -yy28: if(yych <= '/') goto yy2; - if(yych <= '9') goto yy27; +yy31: if(yych <= '/') goto yy2; + if(yych <= '9') goto yy30; if(yych >= ';') goto yy2; -yy29: yych = *++YYCURSOR; +yy32: yych = *++YYCURSOR; if(yych != '{') goto yy2; -yy30: yych = *++YYCURSOR; -yy31: -#line 291 +yy33: yych = *++YYCURSOR; +yy34: +#line 303 { int elements = parse_iv(start + 2); @@ -437,20 +471,29 @@ yy31: return finish_nested_data(UNSERIALIZE_PASSTHRU); } -yy32: yych = *++YYCURSOR; +yy35: yych = *++YYCURSOR; + if(yych <= ','){ + if(yych != '+') goto yy2; + } else { + if(yych <= '-') goto yy36; + if(yych <= '/') goto yy2; + if(yych <= '9') goto yy37; + goto yy2; + } +yy36: yych = *++YYCURSOR; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; -yy33: ++YYCURSOR; +yy37: ++YYCURSOR; if(YYLIMIT == YYCURSOR) YYFILL(1); yych = *YYCURSOR; -yy34: if(yych <= '/') goto yy2; - if(yych <= '9') goto yy33; +yy38: if(yych <= '/') goto yy2; + if(yych <= '9') goto yy37; if(yych >= ';') goto yy2; -yy35: yych = *++YYCURSOR; +yy39: yych = *++YYCURSOR; if(yych != '"') goto yy2; -yy36: yych = *++YYCURSOR; -yy37: -#line 271 +yy40: yych = *++YYCURSOR; +yy41: +#line 283 { int len; char *str; @@ -470,145 +513,192 @@ yy37: ZVAL_STRINGL(*rval, str, len, 0); return 1; } -yy38: yych = *++YYCURSOR; - if(yych == '.') goto yy41; +yy42: yych = *++YYCURSOR; + if(yych <= '-'){ + if(yych == '+') goto yy43; + if(yych <= ',') goto yy2; + } else { + if(yych <= '.') goto yy46; + if(yych <= '/') goto yy2; + if(yych <= '9') goto yy44; + goto yy2; + } +yy43: yych = *++YYCURSOR; + if(yych == '.') goto yy46; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; -yy39: ++YYCURSOR; +yy44: ++YYCURSOR; if(YYLIMIT == YYCURSOR) YYFILL(1); yych = *YYCURSOR; -yy40: if(yych <= '/'){ - if(yych == '.') goto yy50; +yy45: if(yych <= '/'){ + if(yych == '.') goto yy56; goto yy2; } else { - if(yych <= '9') goto yy39; - if(yych == ';') goto yy44; + if(yych <= '9') goto yy44; + if(yych == ';') goto yy49; goto yy2; } -yy41: yych = *++YYCURSOR; +yy46: yych = *++YYCURSOR; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; -yy42: ++YYCURSOR; +yy47: ++YYCURSOR; if(YYLIMIT == YYCURSOR) YYFILL(1); yych = *YYCURSOR; -yy43: if(yych <= ';'){ +yy48: if(yych <= ';'){ if(yych <= '/') goto yy2; - if(yych <= '9') goto yy42; + if(yych <= '9') goto yy47; if(yych <= ':') goto yy2; } else { if(yych <= 'E'){ if(yych <= 'D') goto yy2; - goto yy46; + goto yy51; } else { - if(yych == 'e') goto yy46; + if(yych == 'e') goto yy51; goto yy2; } } -yy44: yych = *++YYCURSOR; -yy45: -#line 264 +yy49: yych = *++YYCURSOR; +yy50: +#line 276 { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_DOUBLE(*rval, atof(start + 2)); return 1; } -yy46: yych = *++YYCURSOR; +yy51: yych = *++YYCURSOR; if(yych <= ','){ if(yych != '+') goto yy2; } else { - if(yych <= '-') goto yy47; + if(yych <= '-') goto yy52; if(yych <= '/') goto yy2; - if(yych <= '9') goto yy48; + if(yych <= '9') goto yy53; goto yy2; } -yy47: yych = *++YYCURSOR; - if(yych <= '/') goto yy2; - if(yych >= ':') goto yy2; -yy48: ++YYCURSOR; +yy52: yych = *++YYCURSOR; + if(yych <= ','){ + if(yych == '+') goto yy55; + goto yy2; + } else { + if(yych <= '-') goto yy55; + if(yych <= '/') goto yy2; + if(yych >= ':') goto yy2; + } +yy53: ++YYCURSOR; if(YYLIMIT == YYCURSOR) YYFILL(1); yych = *YYCURSOR; -yy49: if(yych <= '/') goto yy2; - if(yych <= '9') goto yy48; - if(yych == ';') goto yy44; +yy54: if(yych <= '/') goto yy2; + if(yych <= '9') goto yy53; + if(yych == ';') goto yy49; goto yy2; -yy50: yych = *++YYCURSOR; +yy55: yych = *++YYCURSOR; + if(yych <= '/') goto yy2; + if(yych <= '9') goto yy53; + goto yy2; +yy56: yych = *++YYCURSOR; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; -yy51: ++YYCURSOR; - if((YYLIMIT - YYCURSOR) < 3) YYFILL(3); +yy57: ++YYCURSOR; + if((YYLIMIT - YYCURSOR) < 4) YYFILL(4); yych = *YYCURSOR; -yy52: if(yych <= ';'){ +yy58: if(yych <= ';'){ if(yych <= '/') goto yy2; - if(yych <= '9') goto yy51; + if(yych <= '9') goto yy57; if(yych <= ':') goto yy2; - goto yy44; + goto yy49; } else { if(yych <= 'E'){ if(yych <= 'D') goto yy2; - goto yy46; + goto yy51; } else { - if(yych == 'e') goto yy46; + if(yych == 'e') goto yy51; goto yy2; } } -yy53: yych = *++YYCURSOR; +yy59: yych = *++YYCURSOR; + if(yych <= ','){ + if(yych != '+') goto yy2; + } else { + if(yych <= '-') goto yy60; + if(yych <= '/') goto yy2; + if(yych <= '9') goto yy61; + goto yy2; + } +yy60: yych = *++YYCURSOR; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; -yy54: ++YYCURSOR; +yy61: ++YYCURSOR; if(YYLIMIT == YYCURSOR) YYFILL(1); yych = *YYCURSOR; -yy55: if(yych <= '/') goto yy2; - if(yych <= '9') goto yy54; +yy62: if(yych <= '/') goto yy2; + if(yych <= '9') goto yy61; if(yych != ';') goto yy2; -yy56: yych = *++YYCURSOR; -yy57: -#line 257 +yy63: yych = *++YYCURSOR; +yy64: +#line 269 { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_LONG(*rval, parse_iv(start + 2)); return 1; } -yy58: yych = *++YYCURSOR; +yy65: yych = *++YYCURSOR; + if(yych <= ','){ + if(yych != '+') goto yy2; + } else { + if(yych <= '-') goto yy66; + if(yych <= '/') goto yy2; + if(yych <= '9') goto yy67; + goto yy2; + } +yy66: yych = *++YYCURSOR; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; -yy59: ++YYCURSOR; +yy67: ++YYCURSOR; if(YYLIMIT == YYCURSOR) YYFILL(1); yych = *YYCURSOR; -yy60: if(yych <= '/') goto yy2; - if(yych <= '9') goto yy59; +yy68: if(yych <= '/') goto yy2; + if(yych <= '9') goto yy67; if(yych != ';') goto yy2; -yy61: yych = *++YYCURSOR; -yy62: -#line 250 +yy69: yych = *++YYCURSOR; +yy70: +#line 262 { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_BOOL(*rval, parse_iv(start + 2)); return 1; } -yy63: yych = *++YYCURSOR; -yy64: -#line 243 +yy71: yych = *++YYCURSOR; +yy72: +#line 255 { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_NULL(*rval); return 1; } -yy65: yych = *++YYCURSOR; +yy73: yych = *++YYCURSOR; + if(yych <= ','){ + if(yych != '+') goto yy2; + } else { + if(yych <= '-') goto yy74; + if(yych <= '/') goto yy2; + if(yych <= '9') goto yy75; + goto yy2; + } +yy74: yych = *++YYCURSOR; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; -yy66: ++YYCURSOR; +yy75: ++YYCURSOR; if(YYLIMIT == YYCURSOR) YYFILL(1); yych = *YYCURSOR; -yy67: if(yych <= '/') goto yy2; - if(yych <= '9') goto yy66; +yy76: if(yych <= '/') goto yy2; + if(yych <= '9') goto yy75; if(yych != ';') goto yy2; -yy68: yych = *++YYCURSOR; -yy69: -#line 224 +yy77: yych = *++YYCURSOR; +yy78: +#line 236 { int id; @@ -628,7 +718,7 @@ yy69: return 1; } } -#line 358 +#line 370 return 0; diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index 02c1fce66b..48bf196053 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -90,8 +90,8 @@ void var_destroy(php_unserialize_data_t *var_hashx) /*!re2c -iv = [0-9]+; -nv = ([0-9]* "." [0-9]+|[0-9]+ "." [0-9]+); +iv = [+-]? [0-9]+; +nv = [+-]? ([0-9]* "." [0-9]+|[0-9]+ "." [0-9]+); nvexp = nv [eE] [+-]? iv; any = [\000-\277]; */ @@ -102,7 +102,16 @@ static inline int parse_iv2(const char *p, const char **q) { char cursor; int result = 0; - + int neg = 0; + + switch (*p) { + case '-': + neg++; + /* fall-through */ + case '+': + p++; + } + while (1) { cursor = *p; if (cursor >= '0' && cursor <= '9') { @@ -113,6 +122,7 @@ static inline int parse_iv2(const char *p, const char **q) p++; } if (q) *q = p; + if (neg) return -result; return result; } @@ -169,7 +179,9 @@ static inline int finish_nested_data(UNSERIALIZE_PARAMETER) if (*((*p)++) == '}') return 1; +#if SOMETHING_NEW_MIGHT_LEAD_TO_CRASH_ENABLE_IF_YOU_ARE_BRAVE zval_ptr_dtor(rval); +#endif return 0; } -- 2.40.0