diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2019-09-16 13:01:59 +0200 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2019-09-16 13:02:32 +0200 |
commit | 8873df8e8653e2ffc1709b68f24c4a68536d8b84 (patch) | |
tree | a33e9123b4af58c34877cf5e4608fffc5e806678 | |
parent | 81cefab7b0236382d269d2c516f7fd3b85c62cc2 (diff) | |
download | php-git-8873df8e8653e2ffc1709b68f24c4a68536d8b84.tar.gz |
Fix leak in SplObjectStorage unserialization
The result of php_var_unserialize always needs to be destroyed,
even if the call failed.
-rw-r--r-- | ext/spl/spl_observer.c | 2 | ||||
-rw-r--r-- | ext/standard/tests/serialize/unserialize_leak.phpt | 16 |
2 files changed, 18 insertions, 0 deletions
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c index e4342a8788..adf59128a1 100644 --- a/ext/spl/spl_observer.c +++ b/ext/spl/spl_observer.c @@ -804,12 +804,14 @@ SPL_METHOD(SplObjectStorage, unserialize) } /* store reference to allow cross-references between different elements */ if (!php_var_unserialize(&entry, &p, s + buf_len, &var_hash)) { + zval_ptr_dtor(&entry); goto outexcept; } if (*p == ',') { /* new version has inf */ ++p; if (!php_var_unserialize(&inf, &p, s + buf_len, &var_hash)) { zval_ptr_dtor(&entry); + zval_ptr_dtor(&inf); goto outexcept; } } diff --git a/ext/standard/tests/serialize/unserialize_leak.phpt b/ext/standard/tests/serialize/unserialize_leak.phpt new file mode 100644 index 0000000000..383bcfc075 --- /dev/null +++ b/ext/standard/tests/serialize/unserialize_leak.phpt @@ -0,0 +1,16 @@ +--TEST-- +Unserialize leak in SplObjectStorage +--FILE-- +<?php + +$payload = 'C:16:"SplObjectStorage":113:{x:i:2;O:8:"stdClass":1:{},a:2:{s:4:"prev";i:2;s:4:"next";O:8:"stdClass":0:{}};r:7;,R:2;s:4:"next";;r:3;};m:a:0:{}}'; +try { + var_dump(unserialize($payload)); +} catch (Exception $e) { + echo $e->getMessage(), "\n"; +} + +?> +--EXPECTF-- +Notice: SplObjectStorage::unserialize(): Unexpected end of serialized data in %s on line %d +Error at offset 24 of 113 bytes |