Fixed bug #71311: Use-after-free vulnerability in SPL(ArrayObject, unserialize)

author: Stanislav Malyshev <stas@php.net> 2016-01-17 17:53:03 -0800
committer: Stanislav Malyshev <stas@php.net> 2016-01-17 17:53:03 -0800
commit: bcd64a9bdd8afcf7f91a12e700d12d12eedc136b (patch)
tree: 460438ec66186f57f4e635d4f860d667ab17168d /ext/spl/spl_array.c
parent: ff10dceff87f4c94c55e6bc2e962f4bb3d66feb4 (diff)
download: php-git-bcd64a9bdd8afcf7f91a12e700d12d12eedc136b.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 1f4cad1f15..67d2ccb67c 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1778,6 +1778,7 @@ SPL_METHOD(Array, unserialize)
 		intern->ar_flags &= ~SPL_ARRAY_CLONE_MASK;
 		intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK;
 		zval_ptr_dtor(&intern->array);
+		ZVAL_UNDEF(&intern->array);
 		if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash)) {
 			goto outexcept;
 		}
author	Stanislav Malyshev <stas@php.net>	2016-01-17 17:53:03 -0800
committer	Stanislav Malyshev <stas@php.net>	2016-01-17 17:53:03 -0800
commit	bcd64a9bdd8afcf7f91a12e700d12d12eedc136b (patch)
tree	460438ec66186f57f4e635d4f860d667ab17168d /ext/spl/spl_array.c
parent	ff10dceff87f4c94c55e6bc2e962f4bb3d66feb4 (diff)
download	php-git-bcd64a9bdd8afcf7f91a12e700d12d12eedc136b.tar.gz