Fix bug #73147: Use After Free in PHP7 unserialize()

author: Stanislav Malyshev <stas@php.net> 2016-09-25 19:53:59 -0700
committer: Stanislav Malyshev <stas@php.net> 2016-09-25 19:53:59 -0700
commit: 0e6fe3a4c96be2d3e88389a5776f878021b4c59f (patch)
tree: b731bd6b607066d09b93bd548382f8fadc08a4c9 /Zend/zend_API.c
parent: e1709b7e588cbda71c577f6e5b701713d0c70a23 (diff)
download: php-git-0e6fe3a4c96be2d3e88389a5776f878021b4c59f.tar.gz
1 files changed, 24 insertions, 0 deletions
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index 8202b9a505..0757cc9261 100644
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -3776,6 +3776,30 @@ ZEND_API void zend_update_property(zend_class_entry *scope, zval *object, const
 }
 /* }}} */
 
+ZEND_API void zend_unset_property(zend_class_entry *scope, zval *object, const char *name, int name_length TSRMLS_DC) /* {{{ */
+{
+	zval *property;
+	zend_class_entry *old_scope = EG(scope);
+
+	EG(scope) = scope;
+
+	if (!Z_OBJ_HT_P(object)->unset_property) {
+		const char *class_name;
+		zend_uint class_name_len;
+
+		zend_get_object_classname(object, &class_name, &class_name_len TSRMLS_CC);
+
+		zend_error(E_CORE_ERROR, "Property %s of class %s cannot be unset", name, class_name);
+	}
+	MAKE_STD_ZVAL(property);
+	ZVAL_STRINGL(property, name, name_length, 1);
+	Z_OBJ_HT_P(object)->unset_property(object, property, 0 TSRMLS_CC);
+	zval_ptr_dtor(&property);
+
+	EG(scope) = old_scope;
+}
+/* }}} */
+
 ZEND_API void zend_update_property_null(zend_class_entry *scope, zval *object, const char *name, int name_length TSRMLS_DC) /* {{{ */
 {
 	zval *tmp;
author	Stanislav Malyshev <stas@php.net>	2016-09-25 19:53:59 -0700
committer	Stanislav Malyshev <stas@php.net>	2016-09-25 19:53:59 -0700
commit	0e6fe3a4c96be2d3e88389a5776f878021b4c59f (patch)
tree	b731bd6b607066d09b93bd548382f8fadc08a4c9 /Zend/zend_API.c
parent	e1709b7e588cbda71c577f6e5b701713d0c70a23 (diff)
download	php-git-0e6fe3a4c96be2d3e88389a5776f878021b4c59f.tar.gz