diff options
author | Stanislav Malyshev <stas@php.net> | 2014-12-16 10:19:32 -0800 |
---|---|---|
committer | Ferenc Kovacs <tyrael@php.net> | 2014-12-17 02:25:00 +0100 |
commit | c37265eacdd0186cb3b0bfeb0e0104c8563807ef (patch) | |
tree | 82ebc9952ec93c3046d7b99c9fd0e9673dddb8f2 /ext/standard/var_unserializer.re | |
parent | fe1ab0e566dccf794483d0dfab7f06e6c095b1a2 (diff) | |
download | php-git-c37265eacdd0186cb3b0bfeb0e0104c8563807ef.tar.gz |
* PHP-5.5:
update news
add CVE
add missing test file
Fix bug #68594 - Use after free vulnerability in unserialize()
Conflicts:
ext/standard/var_unserializer.c
Diffstat (limited to 'ext/standard/var_unserializer.re')
-rw-r--r-- | ext/standard/var_unserializer.re | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index 5d9d83b677..387ba6aea7 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -346,6 +346,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long } else { /* object properties should include no integers */ convert_to_string(key); + if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + var_push_dtor(var_hash, old_data); + } zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof data, NULL); } |