diff options
| author | Nikita Popov <nikic@php.net> | 2016-11-05 23:10:19 +0100 |
|---|---|---|
| committer | Nikita Popov <nikic@php.net> | 2016-11-05 23:10:19 +0100 |
| commit | c0762bd8c8e6602a1c2a9e3d795bd5d779fb7abc (patch) | |
| tree | ede2a78921ec8e65fe546ac0c05364acffa1e702 | |
| parent | faae3122d24ef8f241168ca5b9535355583ae3a0 (diff) | |
| parent | b2af4e8868726a040234de113436c6e4f6372d17 (diff) | |
| download | php-git-c0762bd8c8e6602a1c2a9e3d795bd5d779fb7abc.tar.gz | |
Merge branch 'PHP-7.0' into PHP-7.1
| -rw-r--r-- | ext/standard/tests/serialize/bug70172_2.phpt | 6 | ||||
| -rw-r--r-- | ext/standard/var.c | 15 |
2 files changed, 7 insertions, 14 deletions
diff --git a/ext/standard/tests/serialize/bug70172_2.phpt b/ext/standard/tests/serialize/bug70172_2.phpt index dc9067168a..2b12a78edb 100644 --- a/ext/standard/tests/serialize/bug70172_2.phpt +++ b/ext/standard/tests/serialize/bug70172_2.phpt @@ -1,7 +1,5 @@ --TEST-- Bug #70172 - Use After Free Vulnerability in unserialize() ---XFAIL-- -Unfinished merge, needs fix. --FILE-- <?php class obj implements Serializable { @@ -61,10 +59,10 @@ array(2) { [0]=> array(1) { [0]=> - &object(obj2)#%d (1) { + object(obj2)#%d (1) { ["ryat"]=> int(1) } } } -}
\ No newline at end of file +} diff --git a/ext/standard/var.c b/ext/standard/var.c index 8722f3df34..7e84c91e70 100644 --- a/ext/standard/var.c +++ b/ext/standard/var.c @@ -1065,6 +1065,7 @@ PHP_FUNCTION(unserialize) const unsigned char *p; php_unserialize_data_t var_hash; zval *options = NULL, *classes = NULL; + zval *retval; HashTable *class_hash = NULL, *prev_class_hash; if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|a", &buf, &buf_len, &options) == FAILURE) { @@ -1105,22 +1106,16 @@ PHP_FUNCTION(unserialize) php_var_unserialize_set_allowed_classes(var_hash, class_hash); } - if (!php_var_unserialize(return_value, &p, p + buf_len, &var_hash)) { - zval_ptr_dtor(return_value); + retval = var_tmp_var(&var_hash); + if (!php_var_unserialize(retval, &p, p + buf_len, &var_hash)) { if (!EG(exception)) { php_error_docref(NULL, E_NOTICE, "Error at offset " ZEND_LONG_FMT " of %zd bytes", (zend_long)((char*)p - buf), buf_len); } RETVAL_FALSE; } else { - /* We should keep an reference to return_value to prevent it from being dtor - in case nesting calls to unserialize */ - var_push_dtor(&var_hash, return_value); - - /* Ensure return value is a value */ - if (Z_ISREF_P(return_value)) { - zend_unwrap_reference(return_value); - } + ZVAL_DEREF(retval); + ZVAL_COPY(return_value, retval); } if (class_hash) { |