diff options
| author | Dmitry Stogov <dmitry@php.net> | 2006-07-10 14:02:40 +0000 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@php.net> | 2006-07-10 14:02:40 +0000 |
| commit | 83ac79600e3ac519ae883bc5cbbff35eaf1a6657 (patch) | |
| tree | 1f949522d017780d265e04fae70a0fb14c6d050d | |
| parent | d9d23050d1adf4d7484305e5adf1f6efb45e29a2 (diff) | |
| download | php-git-83ac79600e3ac519ae883bc5cbbff35eaf1a6657.tar.gz | |
Fixed bug #37947 (zend_ptr_stack reallocation problem)
| -rw-r--r-- | NEWS | 1 | ||||
| -rwxr-xr-x | ext/standard/tests/serialize/bug37947.phpt | 21 | ||||
| -rw-r--r-- | ext/standard/var.c | 32 |
3 files changed, 36 insertions, 18 deletions
@@ -90,6 +90,7 @@ PHP NEWS - Fixed bug #38003 (in classes inherited from MySQLi it's possible to call private constructors from invalid context). (Tony) - Fixed bug #37987 (invalid return of file_exists() in safe mode). (Ilia) +- Fixed bug #37947 (zend_ptr_stack reallocation problem). (Dmitry) - Fixed bug #37931 (possible crash in OCI8 after database restart when using persistent connections). (Tony) - Fixed bug #37920 (compilation problems on z/OS). (Tony) diff --git a/ext/standard/tests/serialize/bug37947.phpt b/ext/standard/tests/serialize/bug37947.phpt new file mode 100755 index 0000000000..7b106cbb85 --- /dev/null +++ b/ext/standard/tests/serialize/bug37947.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug #37947 (zend_ptr_stack reallocation problem) +--INI-- +error_reporting=0 +--FILE-- +<? +class test { + function extend_zend_ptr_stack($count,$a,$b,$c,$d,$e) { + if ($count>0) $this->extend_zend_ptr_stack($count - +1,$a,$b,$c,$d,$e); + } + + function __wakeup() { + $this->extend_zend_ptr_stack(10,'a','b','c','d','e'); + } +} + +$str='a:2:{i:0;O:4:"test":0:{}junk'; +var_dump(unserialize($str)); +--EXPECT-- +bool(false) diff --git a/ext/standard/var.c b/ext/standard/var.c index db9fd60473..7a81013889 100644 --- a/ext/standard/var.c +++ b/ext/standard/var.c @@ -881,32 +881,28 @@ PHP_FUNCTION(serialize) PHP_FUNCTION(unserialize) { - zval **buf; + char *buf; + int buf_len; + const unsigned char *p; php_unserialize_data_t var_hash; - if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &buf) == FAILURE) { - WRONG_PARAM_COUNT; + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) { + RETURN_FALSE; } - if (Z_TYPE_PP(buf) == IS_STRING) { - const unsigned char *p = (unsigned char*)Z_STRVAL_PP(buf); - - if (Z_STRLEN_PP(buf) == 0) { - RETURN_FALSE; - } + if (buf_len == 0) { + RETURN_FALSE; + } - PHP_VAR_UNSERIALIZE_INIT(var_hash); - if (!php_var_unserialize(&return_value, &p, p + Z_STRLEN_PP(buf), &var_hash TSRMLS_CC)) { - PHP_VAR_UNSERIALIZE_DESTROY(var_hash); - zval_dtor(return_value); - php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Error at offset %ld of %d bytes", (long)((char*)p - Z_STRVAL_PP(buf)), Z_STRLEN_PP(buf)); - RETURN_FALSE; - } + p = (const unsigned char*)buf; + PHP_VAR_UNSERIALIZE_INIT(var_hash); + if (!php_var_unserialize(&return_value, &p, p + buf_len, &var_hash TSRMLS_CC)) { PHP_VAR_UNSERIALIZE_DESTROY(var_hash); - } else { - php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Argument is not a string"); + zval_dtor(return_value); + php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len); RETURN_FALSE; } + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); } /* }}} */ |