diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-09-12 21:09:30 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-09-12 21:09:30 -0700 |
| commit | 07c6bdb85d3efe21598ebb8af6fcebceb9d486e9 (patch) | |
| tree | 0fb02e7c08ec0b50791020ac862fc56e1f475135 /ext/spl | |
| parent | 2d8ab51576695630a7471ff829cc5ea10becdc0f (diff) | |
| parent | c984661d39cfa4db1dd97fde1f59c77a44991440 (diff) | |
| download | php-git-07c6bdb85d3efe21598ebb8af6fcebceb9d486e9.tar.gz | |
Merge branch 'PHP-7.0.11' into PHP-7.0
* PHP-7.0.11: (22 commits)
Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields
I don't think 8cceb012a7aabf3c36ab7c2724a436f976cdd165 is needed
Fix test
Add check in fgetcsv in case sizeof(unit) != sizeof(size_t)
Fix bug #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c
Fix bug #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile)
Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction
Fix bug #73029 - Missing type check when unserializing SplArray
Fix bug #72860: wddx_deserialize use-after-free
Fix bug #73007: add locale length check
Fix bug #72928 - Out of bound when verify signature of zip phar in phar_parse_zipfile
sync NEWS
Revert "Merge branch 'PHP-5.6' into PHP-7.0"
Merge branch 'PHP-5.6' into PHP-7.0
Merge branch 'PHP-5.6' into PHP-7.0
Revert "Revert "Merge branch 'PHP-5.6' into PHP-7.0""
fix version
sync NEWS
Fix bug #72957
set versions
...
Diffstat (limited to 'ext/spl')
| -rw-r--r-- | ext/spl/spl_array.c | 5 | ||||
| -rw-r--r-- | ext/spl/tests/bug70068.phpt | 5 | ||||
| -rw-r--r-- | ext/spl/tests/bug73029.phpt | 16 |
3 files changed, 24 insertions, 2 deletions
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 3bb0e367ea..fe3873541e 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -295,7 +295,7 @@ static zval *spl_array_get_dimension_ptr(int check_inherited, spl_array_object * zend_string *offset_key; HashTable *ht = spl_array_get_hash_table(intern); - if (!offset || Z_ISUNDEF_P(offset)) { + if (!offset || Z_ISUNDEF_P(offset) || !ht) { return &EG(uninitialized_zval); } @@ -1790,7 +1790,8 @@ SPL_METHOD(Array, unserialize) intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK; zval_ptr_dtor(&intern->array); ZVAL_UNDEF(&intern->array); - if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash)) { + if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash) + || (Z_TYPE(intern->array) != IS_ARRAY && Z_TYPE(intern->array) != IS_OBJECT)) { goto outexcept; } var_push_dtor(&var_hash, &intern->array); diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt index 92a38dfbd6..96b2fa808f 100644 --- a/ext/spl/tests/bug70068.phpt +++ b/ext/spl/tests/bug70068.phpt @@ -2,8 +2,13 @@ Bug #70068 (Dangling pointer in the unserialization of ArrayObject items) --FILE-- <?php +try { $a = unserialize('a:3:{i:0;C:11:"ArrayObject":20:{x:i:0;r:3;;m:a:0:{};}i:1;d:11;i:2;S:31:"AAAAAAAABBBBCCCC\01\00\00\00\04\00\00\00\00\00\00\00\00\00\00";}'); +} catch(Exception $e) { + print $e->getMessage()."\n"; +} ?> OK --EXPECT-- +Error at offset 10 of 20 bytes OK
\ No newline at end of file diff --git a/ext/spl/tests/bug73029.phpt b/ext/spl/tests/bug73029.phpt new file mode 100644 index 0000000000..a379f8005e --- /dev/null +++ b/ext/spl/tests/bug73029.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #73029: Missing type check when unserializing SplArray +--FILE-- +<?php +try { +$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}'; +$m = unserialize($a); +$x = $m[2]; +} catch(UnexpectedValueException $e) { + print $e->getMessage() . "\n"; +} +?> +DONE +--EXPECTF-- +Error at offset 10 of 19 bytes +DONE |