From 1806ce9cb019ee74ddb540cbc07daf121dcb5537 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 24 Sep 2019 11:50:26 +0200
Subject: Add max_depth option to unserialize()

Add a max_depth option to unserialize and an unserialize_max_depth
ini setting, which can be used to control the depth limit. The
default value is 4096.

This option is intended to prevent stack overflows during the
unserialization of deeply nested structures.

This fixes bug #78549 and addresses oss-fuzz #17581, #17589, #17664,
and #17788.
---
 php.ini-development | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'php.ini-development')

diff --git a/php.ini-development b/php.ini-development
index 920dd5d23a..4ac6c44b1e 100644
--- a/php.ini-development
+++ b/php.ini-development
@@ -284,6 +284,13 @@ implicit_flush = Off
 ; callback-function.
 unserialize_callback_func =
 
+; The unserialize_max_depth specifies the default depth limit for unserialized
+; structures. Setting the depth limit too high may result in stack overflows
+; during unserialization. The unserialize_max_depth ini setting can be
+; overridden by the max_depth option on individual unserialize() calls.
+; A value of 0 disables the depth limit.
+;unserialize_max_depth = 4096
+
 ; When floats & doubles are serialized, store serialize_precision significant
 ; digits after the floating point. The default value ensures that when floats
 ; are decoded with unserialize, the data will remain the same.
-- 
cgit v1.2.1