Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage

author: Stanislav Malyshev <stas@php.net> 2015-09-01 00:14:15 -0700
committer: Stanislav Malyshev <stas@php.net> 2015-09-01 00:14:15 -0700
commit: f06a069c462d37c2e009f6d1d93b8c8e7b713393 (patch)
tree: b2e1db429b0c790d65c7ddc13065037adb37db8e /ext/spl/spl_observer.c
parent: e8429400d40e3c3aa4b22ba701991d698a2f3b2f (diff)
download: php-git-f06a069c462d37c2e009f6d1d93b8c8e7b713393.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index 5d94a3b7b3..6a2e3211e5 100644
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -853,6 +853,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
 			zval_ptr_dtor(&pentry);
 			goto outexcept;
 		}
+		var_push_dtor(&var_hash, &pentry);
 		if(Z_TYPE_P(pentry) != IS_OBJECT) {
 			zval_ptr_dtor(&pentry);
 			goto outexcept;
@@ -864,6 +865,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
 				zval_ptr_dtor(&pinf);
 				goto outexcept;
 			}
+			var_push_dtor(&var_hash, &pinf);
 		}
 
 		hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC);
author	Stanislav Malyshev <stas@php.net>	2015-09-01 00:14:15 -0700
committer	Stanislav Malyshev <stas@php.net>	2015-09-01 00:14:15 -0700
commit	f06a069c462d37c2e009f6d1d93b8c8e7b713393 (patch)
tree	b2e1db429b0c790d65c7ddc13065037adb37db8e /ext/spl/spl_observer.c
parent	e8429400d40e3c3aa4b22ba701991d698a2f3b2f (diff)
download	php-git-f06a069c462d37c2e009f6d1d93b8c8e7b713393.tar.gz