summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2014-06-21 19:46:16 -0700
committerStanislav Malyshev <stas@php.net>2014-07-18 16:31:59 -0700
commitc74efe1b2efd7222b27d36f383623cd19ed0e102 (patch)
treeb9b0ff6fdd6f37b37a9c18385d23a37c49b2e42c
parentb5051ff939eb9dbada8ce10fbea8cf37e50b5a36 (diff)
downloadphp-git-c74efe1b2efd7222b27d36f383623cd19ed0e102.tar.gz
Fix bug #67492: unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion
Conflicts: ext/spl/spl_array.c ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
Diffstat
-rw-r--r--ext/spl/spl_array.c2
-rw-r--r--ext/spl/spl_observer.c2
-rw-r--r--ext/spl/tests/SplObjectStorage_unserialize_bad.phpt9
3 files changed, 8 insertions, 5 deletions
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index f2f3f1c61b..312beaa008 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1816,7 +1816,7 @@ void spl_array_unserialize_helper(spl_array_object *intern, const unsigned char
++p;
ALLOC_INIT_ZVAL(pmembers);
- if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC)) {
+ if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
zval_ptr_dtor(&pmembers);
goto outexcept;
}
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index 876efea688..1a491e1f48 100644
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -801,7 +801,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
++p;
ALLOC_INIT_ZVAL(pmembers);
- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
zval_ptr_dtor(&pmembers);
goto outexcept;
}
diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
index 9e3f3605b7..4adfa6f7b4 100644
--- a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
+++ b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
@@ -5,8 +5,9 @@ SPL: Test that serialized blob contains unique elements (CVE-2010-2225)
$badblobs = array(
'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
-'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
-'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',
);
foreach($badblobs as $blob) {
try {
@@ -17,6 +18,7 @@ try {
echo $e->getMessage()."\n";
}
}
+echo "DONE\n";
--EXPECTF--
Error at offset 6 of 34 bytes
Error at offset 46 of 89 bytes
@@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) {
}
}
}
-
+Error at offset 79 of 78 bytes
+DONE
View Lorry Controller Status