diff options
author | Stanislav Malyshev <stas@php.net> | 2016-09-11 20:24:13 -0700 |
---|---|---|
committer | Ferenc Kovacs <tyra3l@gmail.com> | 2016-09-15 10:03:35 +0200 |
commit | 589cfc7d0ebbc2399b6cbac3351ae26d569e9600 (patch) | |
tree | cd567a442a7b9a24229213de84d05a1a3af9251c | |
parent | 780daee62b55995a10f8e849159eff0a25bacb9d (diff) | |
download | php-git-589cfc7d0ebbc2399b6cbac3351ae26d569e9600.tar.gz |
Fix bug #73029 - Missing type check when unserializing SplArray
-rw-r--r-- | ext/spl/spl_array.c | 10 | ||||
-rw-r--r-- | ext/spl/tests/bug73029.phpt | 16 |
2 files changed, 22 insertions, 4 deletions
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 42a8e7aa44..700d6093dd 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -308,7 +308,7 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object, long index; HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); - if (!offset) { + if (!offset || !ht) { return &EG(uninitialized_zval_ptr); } @@ -626,7 +626,7 @@ static int spl_array_has_dimension_ex(int check_inherited, zval *object, zval *o HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); switch(Z_TYPE_P(offset)) { - case IS_STRING: + case IS_STRING: if (zend_symtable_find(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &tmp) != FAILURE) { if (check_empty == 2) { return 1; @@ -638,7 +638,7 @@ static int spl_array_has_dimension_ex(int check_inherited, zval *object, zval *o case IS_DOUBLE: case IS_RESOURCE: - case IS_BOOL: + case IS_BOOL: case IS_LONG: if (offset->type == IS_DOUBLE) { index = (long)Z_DVAL_P(offset); @@ -1810,7 +1810,9 @@ SPL_METHOD(Array, unserialize) intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK; zval_ptr_dtor(&intern->array); ALLOC_INIT_ZVAL(intern->array); - if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) { + if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC) + || (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) { + zval_ptr_dtor(&intern->array); goto outexcept; } var_push_dtor(&var_hash, &intern->array); diff --git a/ext/spl/tests/bug73029.phpt b/ext/spl/tests/bug73029.phpt new file mode 100644 index 0000000000..a379f8005e --- /dev/null +++ b/ext/spl/tests/bug73029.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #73029: Missing type check when unserializing SplArray +--FILE-- +<?php +try { +$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}'; +$m = unserialize($a); +$x = $m[2]; +} catch(UnexpectedValueException $e) { + print $e->getMessage() . "\n"; +} +?> +DONE +--EXPECTF-- +Error at offset 10 of 19 bytes +DONE |