summaryrefslogtreecommitdiff
path: root/ext/standard/var_unserializer.re
diff options
context:
space:
mode:
Diffstat (limited to 'ext/standard/var_unserializer.re')
-rw-r--r--ext/standard/var_unserializer.re20
1 files changed, 17 insertions, 3 deletions
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index ce84bf5eb4..4cdf313735 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -409,6 +409,11 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
{
long elements;
+ if( *p >= max - 2) {
+ zend_error(E_WARNING, "Bad unserialize data");
+ return -1;
+ }
+
elements = parse_iv2((*p) + 2, p);
(*p) += 2;
@@ -419,7 +424,7 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
/* If this class implements Serializable, it should not land here but in object_custom(). The passed string
obviously doesn't descend from the regular serializer. */
zend_error(E_WARNING, "Erroneous data format for unserializing '%s'", ce->name);
- return 0;
+ return -1;
}
return elements;
@@ -697,12 +702,16 @@ use_double:
}
"o:" iv ":" ["] {
+ long elements;
if (!var_hash) return 0;
INIT_PZVAL(*rval);
- return object_common2(UNSERIALIZE_PASSTHRU,
- object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
+ elements = object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR);
+ if (elements < 0) {
+ return 0;
+ }
+ return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
object ":" uiv ":" ["] {
@@ -844,6 +853,11 @@ object ":" uiv ":" ["] {
elements = object_common1(UNSERIALIZE_PASSTHRU, ce);
+ if (elements < 0) {
+ efree(class_name);
+ return 0;
+ }
+
if (incomplete_class) {
php_store_class_name(*rval, class_name, len2);
}
View Lorry Controller Status