summaryrefslogtreecommitdiff
path: root/ext/standard/var_unserializer.c
diff options
context:
space:
mode:
Diffstat (limited to 'ext/standard/var_unserializer.c')
-rw-r--r--ext/standard/var_unserializer.c80
1 files changed, 47 insertions, 33 deletions
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index 549149267e..efb0942b05 100644
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -405,6 +405,11 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
{
long elements;
+ if( *p >= max - 2) {
+ zend_error(E_WARNING, "Bad unserialize data");
+ return -1;
+ }
+
elements = parse_iv2((*p) + 2, p);
(*p) += 2;
@@ -415,7 +420,7 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
/* If this class implements Serializable, it should not land here but in object_custom(). The passed string
obviously doesn't descend from the regular serializer. */
zend_error(E_WARNING, "Erroneous data format for unserializing '%s'", ce->name);
- return 0;
+ return -1;
}
return elements;
@@ -492,7 +497,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
-#line 496 "ext/standard/var_unserializer.c"
+#line 501 "ext/standard/var_unserializer.c"
{
YYCTYPE yych;
static const unsigned char yybm[] = {
@@ -552,9 +557,9 @@ yy2:
yych = *(YYMARKER = ++YYCURSOR);
if (yych == ':') goto yy95;
yy3:
-#line 861 "ext/standard/var_unserializer.re"
+#line 875 "ext/standard/var_unserializer.re"
{ return 0; }
-#line 558 "ext/standard/var_unserializer.c"
+#line 563 "ext/standard/var_unserializer.c"
yy4:
yych = *(YYMARKER = ++YYCURSOR);
if (yych == ':') goto yy89;
@@ -597,13 +602,13 @@ yy13:
goto yy3;
yy14:
++YYCURSOR;
-#line 855 "ext/standard/var_unserializer.re"
+#line 869 "ext/standard/var_unserializer.re"
{
/* this is the case where we have less data than planned */
php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
return 0; /* not sure if it should be 0 or 1 here? */
}
-#line 607 "ext/standard/var_unserializer.c"
+#line 612 "ext/standard/var_unserializer.c"
yy16:
yych = *++YYCURSOR;
goto yy3;
@@ -634,7 +639,7 @@ yy20:
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 708 "ext/standard/var_unserializer.re"
+#line 717 "ext/standard/var_unserializer.re"
{
size_t len, len2, len3, maxlen;
long elements;
@@ -774,6 +779,11 @@ yy20:
elements = object_common1(UNSERIALIZE_PASSTHRU, ce);
+ if (elements < 0) {
+ efree(class_name);
+ return 0;
+ }
+
if (incomplete_class) {
php_store_class_name(*rval, class_name, len2);
}
@@ -781,7 +791,7 @@ yy20:
return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
-#line 785 "ext/standard/var_unserializer.c"
+#line 795 "ext/standard/var_unserializer.c"
yy25:
yych = *++YYCURSOR;
if (yych <= ',') {
@@ -806,16 +816,20 @@ yy27:
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 699 "ext/standard/var_unserializer.re"
+#line 704 "ext/standard/var_unserializer.re"
{
+ long elements;
if (!var_hash) return 0;
INIT_PZVAL(*rval);
- return object_common2(UNSERIALIZE_PASSTHRU,
- object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
+ elements = object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR);
+ if (elements < 0) {
+ return 0;
+ }
+ return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
-#line 819 "ext/standard/var_unserializer.c"
+#line 833 "ext/standard/var_unserializer.c"
yy32:
yych = *++YYCURSOR;
if (yych == '+') goto yy33;
@@ -836,7 +850,7 @@ yy34:
yych = *++YYCURSOR;
if (yych != '{') goto yy18;
++YYCURSOR;
-#line 678 "ext/standard/var_unserializer.re"
+#line 683 "ext/standard/var_unserializer.re"
{
long elements = parse_iv(start + 2);
/* use iv() not uiv() in order to check data range */
@@ -857,7 +871,7 @@ yy34:
return finish_nested_data(UNSERIALIZE_PASSTHRU);
}
-#line 861 "ext/standard/var_unserializer.c"
+#line 875 "ext/standard/var_unserializer.c"
yy39:
yych = *++YYCURSOR;
if (yych == '+') goto yy40;
@@ -878,7 +892,7 @@ yy41:
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 643 "ext/standard/var_unserializer.re"
+#line 648 "ext/standard/var_unserializer.re"
{
size_t len, maxlen;
char *str;
@@ -913,7 +927,7 @@ yy41:
ZVAL_STRINGL(*rval, str, len, 0);
return 1;
}
-#line 917 "ext/standard/var_unserializer.c"
+#line 931 "ext/standard/var_unserializer.c"
yy46:
yych = *++YYCURSOR;
if (yych == '+') goto yy47;
@@ -934,7 +948,7 @@ yy48:
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 610 "ext/standard/var_unserializer.re"
+#line 615 "ext/standard/var_unserializer.re"
{
size_t len, maxlen;
char *str;
@@ -967,7 +981,7 @@ yy48:
ZVAL_STRINGL(*rval, str, len, 1);
return 1;
}
-#line 971 "ext/standard/var_unserializer.c"
+#line 985 "ext/standard/var_unserializer.c"
yy53:
yych = *++YYCURSOR;
if (yych <= '/') {
@@ -1055,7 +1069,7 @@ yy61:
}
yy63:
++YYCURSOR;
-#line 600 "ext/standard/var_unserializer.re"
+#line 605 "ext/standard/var_unserializer.re"
{
#if SIZEOF_LONG == 4
use_double:
@@ -1065,7 +1079,7 @@ use_double:
ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
return 1;
}
-#line 1069 "ext/standard/var_unserializer.c"
+#line 1083 "ext/standard/var_unserializer.c"
yy65:
yych = *++YYCURSOR;
if (yych <= ',') {
@@ -1124,7 +1138,7 @@ yy73:
yych = *++YYCURSOR;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 585 "ext/standard/var_unserializer.re"
+#line 590 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
@@ -1139,7 +1153,7 @@ yy73:
return 1;
}
-#line 1143 "ext/standard/var_unserializer.c"
+#line 1157 "ext/standard/var_unserializer.c"
yy76:
yych = *++YYCURSOR;
if (yych == 'N') goto yy73;
@@ -1166,7 +1180,7 @@ yy79:
if (yych <= '9') goto yy79;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 558 "ext/standard/var_unserializer.re"
+#line 563 "ext/standard/var_unserializer.re"
{
#if SIZEOF_LONG == 4
int digits = YYCURSOR - start - 3;
@@ -1193,7 +1207,7 @@ yy79:
ZVAL_LONG(*rval, parse_iv(start + 2));
return 1;
}
-#line 1197 "ext/standard/var_unserializer.c"
+#line 1211 "ext/standard/var_unserializer.c"
yy83:
yych = *++YYCURSOR;
if (yych <= '/') goto yy18;
@@ -1201,24 +1215,24 @@ yy83:
yych = *++YYCURSOR;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 551 "ext/standard/var_unserializer.re"
+#line 556 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
ZVAL_BOOL(*rval, parse_iv(start + 2));
return 1;
}
-#line 1212 "ext/standard/var_unserializer.c"
+#line 1226 "ext/standard/var_unserializer.c"
yy87:
++YYCURSOR;
-#line 544 "ext/standard/var_unserializer.re"
+#line 549 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
ZVAL_NULL(*rval);
return 1;
}
-#line 1222 "ext/standard/var_unserializer.c"
+#line 1236 "ext/standard/var_unserializer.c"
yy89:
yych = *++YYCURSOR;
if (yych <= ',') {
@@ -1241,7 +1255,7 @@ yy91:
if (yych <= '9') goto yy91;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 521 "ext/standard/var_unserializer.re"
+#line 526 "ext/standard/var_unserializer.re"
{
long id;
@@ -1264,7 +1278,7 @@ yy91:
return 1;
}
-#line 1268 "ext/standard/var_unserializer.c"
+#line 1282 "ext/standard/var_unserializer.c"
yy95:
yych = *++YYCURSOR;
if (yych <= ',') {
@@ -1287,7 +1301,7 @@ yy97:
if (yych <= '9') goto yy97;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 500 "ext/standard/var_unserializer.re"
+#line 505 "ext/standard/var_unserializer.re"
{
long id;
@@ -1308,9 +1322,9 @@ yy97:
return 1;
}
-#line 1312 "ext/standard/var_unserializer.c"
+#line 1326 "ext/standard/var_unserializer.c"
}
-#line 863 "ext/standard/var_unserializer.re"
+#line 877 "ext/standard/var_unserializer.re"
return 0;
View Lorry Controller Status