dmitry Mon Jul 9 14:31:56 2007 UTC
Modified files: (Branch: PHP_5_2)
/php-src/ext/standard var_unserializer.c var_unserializer.re
/php-src/ext/standard/tests/serialize unserializeS.phpt
Log:
Proper fix for MOPB-29
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/var_unserializer.c?r1=1.70.2.4.2.5&r2=1.70.2.4.2.6&diff_format=u
Index: php-src/ext/standard/var_unserializer.c
diff -u php-src/ext/standard/var_unserializer.c:1.70.2.4.2.5
php-src/ext/standard/var_unserializer.c:1.70.2.4.2.6
--- php-src/ext/standard/var_unserializer.c:1.70.2.4.2.5 Tue Mar 27
09:29:10 2007
+++ php-src/ext/standard/var_unserializer.c Mon Jul 9 14:31:56 2007
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: var_unserializer.c,v 1.70.2.4.2.5 2007/03/27 09:29:10 tony2001 Exp $ */
+/* $Id: var_unserializer.c,v 1.70.2.4.2.6 2007/07/09 14:31:56 dmitry Exp $ */
#include "php.h"
#include "ext/standard/php_var.h"
@@ -140,18 +140,22 @@
/* }}} */
-static char *unserialize_str(const unsigned char **p, size_t *len)
+static char *unserialize_str(const unsigned char **p, size_t *len, size_t
maxlen)
{
size_t i, j;
char *str = safe_emalloc(*len, 1, 1);
- unsigned char *end = *(unsigned char **)p+*len;
+ unsigned char *end = *(unsigned char **)p+maxlen;
if(end < *p) {
efree(str);
return NULL;
}
- for (i = 0; i < *len && *p < end; i++) {
+ for (i = 0; i < *len; i++) {
+ if (*p >= end) {
+ efree(str);
+ return NULL;
+ }
if (**p != '\\') {
str[i] = (char)**p;
} else {
@@ -757,7 +761,7 @@
return 0;
}
- if ((str = unserialize_str(&YYCURSOR, &len)) == NULL) {
+ if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) {
return 0;
}
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/var_unserializer.re?r1=1.52.2.2.2.3&r2=1.52.2.2.2.4&diff_format=u
Index: php-src/ext/standard/var_unserializer.re
diff -u php-src/ext/standard/var_unserializer.re:1.52.2.2.2.3
php-src/ext/standard/var_unserializer.re:1.52.2.2.2.4
--- php-src/ext/standard/var_unserializer.re:1.52.2.2.2.3 Tue Mar 27
09:29:10 2007
+++ php-src/ext/standard/var_unserializer.re Mon Jul 9 14:31:56 2007
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: var_unserializer.re,v 1.52.2.2.2.3 2007/03/27 09:29:10 tony2001 Exp $
*/
+/* $Id: var_unserializer.re,v 1.52.2.2.2.4 2007/07/09 14:31:56 dmitry Exp $ */
#include "php.h"
#include "ext/standard/php_var.h"
@@ -138,18 +138,22 @@
/* }}} */
-static char *unserialize_str(const unsigned char **p, size_t *len)
+static char *unserialize_str(const unsigned char **p, size_t *len, size_t
maxlen)
{
size_t i, j;
char *str = safe_emalloc(*len, 1, 1);
- unsigned char *end = *(unsigned char **)p+*len;
+ unsigned char *end = *(unsigned char **)p+maxlen;
if(end < *p) {
efree(str);
return NULL;
}
- for (i = 0; i < *len && *p < end; i++) {
+ for (i = 0; i < *len; i++) {
+ if (*p >= end) {
+ efree(str);
+ return NULL;
+ }
if (**p != '\\') {
str[i] = (char)**p;
} else {
@@ -525,7 +529,7 @@
return 0;
}
- if ((str = unserialize_str(&YYCURSOR, &len)) == NULL) {
+ if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) {
return 0;
}
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/serialize/unserializeS.phpt?r1=1.1.2.1&r2=1.1.2.2&diff_format=u
Index: php-src/ext/standard/tests/serialize/unserializeS.phpt
diff -u php-src/ext/standard/tests/serialize/unserializeS.phpt:1.1.2.1
php-src/ext/standard/tests/serialize/unserializeS.phpt:1.1.2.2
--- php-src/ext/standard/tests/serialize/unserializeS.phpt:1.1.2.1 Fri Mar
23 20:15:22 2007
+++ php-src/ext/standard/tests/serialize/unserializeS.phpt Mon Jul 9
14:31:56 2007
@@ -11,4 +11,4 @@
var_dump($data);
--EXPECT--
-string(100)
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+bool(false)
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
