diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2019-09-23 13:16:58 +0200 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2019-09-23 13:18:27 +0200 |
commit | 8509970e6a392de42b81882d7c81fa96a3c972e1 (patch) | |
tree | a48516787f3915b934cf47384872dbeecaffb97e | |
parent | 697945aa89c060548e003d8ca6785faf5a35e898 (diff) | |
download | php-git-8509970e6a392de42b81882d7c81fa96a3c972e1.tar.gz |
Fix signed integer overflow in SplObjectStorage unserialization
If count is ZEND_LONG_MIN the count-- loop underflows. This is
ultimately harmless, but results in a ubsan warning.
Fix this by adding a sanity check that the count isn't negative,
because that doesn't make sense...
-rw-r--r-- | ext/spl/spl_observer.c | 3 | ||||
-rw-r--r-- | ext/standard/tests/serialize/splobjectstorage_negative_count.phpt | 15 |
2 files changed, 18 insertions, 0 deletions
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c index adf59128a1..605a9234d1 100644 --- a/ext/spl/spl_observer.c +++ b/ext/spl/spl_observer.c @@ -787,6 +787,9 @@ SPL_METHOD(SplObjectStorage, unserialize) --p; /* for ';' */ count = Z_LVAL_P(pcount); + if (count < 0) { + goto outexcept; + } ZVAL_UNDEF(&entry); ZVAL_UNDEF(&inf); diff --git a/ext/standard/tests/serialize/splobjectstorage_negative_count.phpt b/ext/standard/tests/serialize/splobjectstorage_negative_count.phpt new file mode 100644 index 0000000000..4dda491a8b --- /dev/null +++ b/ext/standard/tests/serialize/splobjectstorage_negative_count.phpt @@ -0,0 +1,15 @@ +--TEST-- +OSS-Fuzz: Unserializing SplObjectStorage with negative number of elements +--FILE-- +<?php + +$str = 'C:16:"SplObjectStorage":25:{x:i:-9223372036854775808;}'; +try { + var_dump(unserialize($str)); +} catch (Exception $e) { + echo $e->getMessage(), "\n"; +} + +?> +--EXPECT-- +Error at offset 24 of 25 bytes |