diff options
| author | Xinchen Hui <laruence@gmail.com> | 2016-03-17 14:27:27 +0800 |
|---|---|---|
| committer | Xinchen Hui <laruence@gmail.com> | 2016-03-17 15:15:28 +0800 |
| commit | 6f241f5fad3a26810c96d5b634bfbceaeac10176 (patch) | |
| tree | 81d58c25bd7e2617726e054fe2a64cfbb37e5b94 /ext/standard/var_unserializer.c | |
| parent | 14f4848fb0e900c34129eead3c9ca92157b23aac (diff) | |
| download | php-git-6f241f5fad3a26810c96d5b634bfbceaeac10176.tar.gz | |
Fixed bug #71840 (Unserialize accepts wrongly data)
Diffstat (limited to 'ext/standard/var_unserializer.c')
| -rw-r--r-- | ext/standard/var_unserializer.c | 54 |
1 files changed, 32 insertions, 22 deletions
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index 90db7f4a5f..1e45b03fcc 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -1,4 +1,4 @@ -/* Generated by re2c 0.13.7.5 */ +/* Generated by re2c 0.13.5 */ #line 1 "ext/standard/var_unserializer.re" /* +----------------------------------------------------------------------+ @@ -542,7 +542,7 @@ yy2: yych = *(YYMARKER = ++YYCURSOR); if (yych == ':') goto yy95; yy3: -#line 840 "ext/standard/var_unserializer.re" +#line 851 "ext/standard/var_unserializer.re" { return 0; } #line 548 "ext/standard/var_unserializer.c" yy4: @@ -587,7 +587,7 @@ yy13: goto yy3; yy14: ++YYCURSOR; -#line 834 "ext/standard/var_unserializer.re" +#line 845 "ext/standard/var_unserializer.re" { /* this is the case where we have less data than planned */ php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data"); @@ -619,12 +619,11 @@ yy20: if (yybm[0+yych] & 128) { goto yy20; } - if (yych <= '/') goto yy18; - if (yych >= ';') goto yy18; + if (yych != ':') goto yy18; yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 687 "ext/standard/var_unserializer.re" +#line 698 "ext/standard/var_unserializer.re" { size_t len, len2, len3, maxlen; long elements; @@ -771,7 +770,7 @@ yy20: return object_common2(UNSERIALIZE_PASSTHRU, elements); } -#line 775 "ext/standard/var_unserializer.c" +#line 774 "ext/standard/var_unserializer.c" yy25: yych = *++YYCURSOR; if (yych <= ',') { @@ -796,7 +795,7 @@ yy27: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 678 "ext/standard/var_unserializer.re" +#line 689 "ext/standard/var_unserializer.re" { if (!var_hash) return 0; @@ -805,7 +804,7 @@ yy27: return object_common2(UNSERIALIZE_PASSTHRU, object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR)); } -#line 809 "ext/standard/var_unserializer.c" +#line 808 "ext/standard/var_unserializer.c" yy32: yych = *++YYCURSOR; if (yych == '+') goto yy33; @@ -826,7 +825,7 @@ yy34: yych = *++YYCURSOR; if (yych != '{') goto yy18; ++YYCURSOR; -#line 657 "ext/standard/var_unserializer.re" +#line 668 "ext/standard/var_unserializer.re" { long elements = parse_iv(start + 2); /* use iv() not uiv() in order to check data range */ @@ -847,7 +846,7 @@ yy34: return finish_nested_data(UNSERIALIZE_PASSTHRU); } -#line 851 "ext/standard/var_unserializer.c" +#line 850 "ext/standard/var_unserializer.c" yy39: yych = *++YYCURSOR; if (yych == '+') goto yy40; @@ -868,7 +867,7 @@ yy41: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 628 "ext/standard/var_unserializer.re" +#line 633 "ext/standard/var_unserializer.re" { size_t len, maxlen; char *str; @@ -890,6 +889,12 @@ yy41: return 0; } + if (*(YYCURSOR + 1) != ';') { + efree(str); + *p = YYCURSOR + 1; + return 0; + } + YYCURSOR += 2; *p = YYCURSOR; @@ -897,7 +902,7 @@ yy41: ZVAL_STRINGL(*rval, str, len, 0); return 1; } -#line 901 "ext/standard/var_unserializer.c" +#line 906 "ext/standard/var_unserializer.c" yy46: yych = *++YYCURSOR; if (yych == '+') goto yy47; @@ -939,6 +944,11 @@ yy48: return 0; } + if (*(YYCURSOR + 1) != ';') { + *p = YYCURSOR + 1; + return 0; + } + YYCURSOR += 2; *p = YYCURSOR; @@ -946,7 +956,7 @@ yy48: ZVAL_STRINGL(*rval, str, len, 1); return 1; } -#line 950 "ext/standard/var_unserializer.c" +#line 960 "ext/standard/var_unserializer.c" yy53: yych = *++YYCURSOR; if (yych <= '/') { @@ -1044,7 +1054,7 @@ use_double: ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL)); return 1; } -#line 1048 "ext/standard/var_unserializer.c" +#line 1058 "ext/standard/var_unserializer.c" yy65: yych = *++YYCURSOR; if (yych <= ',') { @@ -1118,7 +1128,7 @@ yy73: return 1; } -#line 1122 "ext/standard/var_unserializer.c" +#line 1132 "ext/standard/var_unserializer.c" yy76: yych = *++YYCURSOR; if (yych == 'N') goto yy73; @@ -1172,7 +1182,7 @@ yy79: ZVAL_LONG(*rval, parse_iv(start + 2)); return 1; } -#line 1176 "ext/standard/var_unserializer.c" +#line 1186 "ext/standard/var_unserializer.c" yy83: yych = *++YYCURSOR; if (yych <= '/') goto yy18; @@ -1187,7 +1197,7 @@ yy83: ZVAL_BOOL(*rval, parse_iv(start + 2)); return 1; } -#line 1191 "ext/standard/var_unserializer.c" +#line 1201 "ext/standard/var_unserializer.c" yy87: ++YYCURSOR; #line 534 "ext/standard/var_unserializer.re" @@ -1197,7 +1207,7 @@ yy87: ZVAL_NULL(*rval); return 1; } -#line 1201 "ext/standard/var_unserializer.c" +#line 1211 "ext/standard/var_unserializer.c" yy89: yych = *++YYCURSOR; if (yych <= ',') { @@ -1243,7 +1253,7 @@ yy91: return 1; } -#line 1247 "ext/standard/var_unserializer.c" +#line 1257 "ext/standard/var_unserializer.c" yy95: yych = *++YYCURSOR; if (yych <= ',') { @@ -1287,9 +1297,9 @@ yy97: return 1; } -#line 1291 "ext/standard/var_unserializer.c" +#line 1301 "ext/standard/var_unserializer.c" } -#line 842 "ext/standard/var_unserializer.re" +#line 853 "ext/standard/var_unserializer.re" return 0; |