dmitry Mon Jul 9 14:31:56 2007 UTC Modified files: (Branch: PHP_5_2) /php-src/ext/standard var_unserializer.c var_unserializer.re /php-src/ext/standard/tests/serialize unserializeS.phpt Log: Proper fix for MOPB-29 http://cvs.php.net/viewvc.cgi/php-src/ext/standard/var_unserializer.c?r1=1.70.2.4.2.5&r2=1.70.2.4.2.6&diff_format=u Index: php-src/ext/standard/var_unserializer.c diff -u php-src/ext/standard/var_unserializer.c:1.70.2.4.2.5 php-src/ext/standard/var_unserializer.c:1.70.2.4.2.6 --- php-src/ext/standard/var_unserializer.c:1.70.2.4.2.5 Tue Mar 27 09:29:10 2007 +++ php-src/ext/standard/var_unserializer.c Mon Jul 9 14:31:56 2007 @@ -18,7 +18,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: var_unserializer.c,v 1.70.2.4.2.5 2007/03/27 09:29:10 tony2001 Exp $ */ +/* $Id: var_unserializer.c,v 1.70.2.4.2.6 2007/07/09 14:31:56 dmitry Exp $ */ #include "php.h" #include "ext/standard/php_var.h" @@ -140,18 +140,22 @@ /* }}} */ -static char *unserialize_str(const unsigned char **p, size_t *len) +static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen) { size_t i, j; char *str = safe_emalloc(*len, 1, 1); - unsigned char *end = *(unsigned char **)p+*len; + unsigned char *end = *(unsigned char **)p+maxlen; if(end < *p) { efree(str); return NULL; } - for (i = 0; i < *len && *p < end; i++) { + for (i = 0; i < *len; i++) { + if (*p >= end) { + efree(str); + return NULL; + } if (**p != '\\') { str[i] = (char)**p; } else { @@ -757,7 +761,7 @@ return 0; } - if ((str = unserialize_str(&YYCURSOR, &len)) == NULL) { + if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) { return 0; } http://cvs.php.net/viewvc.cgi/php-src/ext/standard/var_unserializer.re?r1=1.52.2.2.2.3&r2=1.52.2.2.2.4&diff_format=u Index: php-src/ext/standard/var_unserializer.re diff -u php-src/ext/standard/var_unserializer.re:1.52.2.2.2.3 php-src/ext/standard/var_unserializer.re:1.52.2.2.2.4 --- php-src/ext/standard/var_unserializer.re:1.52.2.2.2.3 Tue Mar 27 09:29:10 2007 +++ php-src/ext/standard/var_unserializer.re Mon Jul 9 14:31:56 2007 @@ -16,7 +16,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: var_unserializer.re,v 1.52.2.2.2.3 2007/03/27 09:29:10 tony2001 Exp $ */ +/* $Id: var_unserializer.re,v 1.52.2.2.2.4 2007/07/09 14:31:56 dmitry Exp $ */ #include "php.h" #include "ext/standard/php_var.h" @@ -138,18 +138,22 @@ /* }}} */ -static char *unserialize_str(const unsigned char **p, size_t *len) +static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen) { size_t i, j; char *str = safe_emalloc(*len, 1, 1); - unsigned char *end = *(unsigned char **)p+*len; + unsigned char *end = *(unsigned char **)p+maxlen; if(end < *p) { efree(str); return NULL; } - for (i = 0; i < *len && *p < end; i++) { + for (i = 0; i < *len; i++) { + if (*p >= end) { + efree(str); + return NULL; + } if (**p != '\\') { str[i] = (char)**p; } else { @@ -525,7 +529,7 @@ return 0; } - if ((str = unserialize_str(&YYCURSOR, &len)) == NULL) { + if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) { return 0; } http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/serialize/unserializeS.phpt?r1=1.1.2.1&r2=1.1.2.2&diff_format=u Index: php-src/ext/standard/tests/serialize/unserializeS.phpt diff -u php-src/ext/standard/tests/serialize/unserializeS.phpt:1.1.2.1 php-src/ext/standard/tests/serialize/unserializeS.phpt:1.1.2.2 --- php-src/ext/standard/tests/serialize/unserializeS.phpt:1.1.2.1 Fri Mar 23 20:15:22 2007 +++ php-src/ext/standard/tests/serialize/unserializeS.phpt Mon Jul 9 14:31:56 2007 @@ -11,4 +11,4 @@ var_dump($data); --EXPECT-- -string(100) "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" +bool(false)
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php