dmitry Mon Jul 9 14:33:37 2007 UTC
Modified files:
/php-src/ext/standard var_unserializer.c var_unserializer.re
/php-src/ext/standard/tests/serialize unserializeS.phpt
Log:
Proper fix for MOPB-29
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/var_unserializer.c?r1=1.87&r2=1.88&diff_format=u
Index: php-src/ext/standard/var_unserializer.c
diff -u php-src/ext/standard/var_unserializer.c:1.87
php-src/ext/standard/var_unserializer.c:1.88
--- php-src/ext/standard/var_unserializer.c:1.87 Mon Jul 9 13:43:50 2007
+++ php-src/ext/standard/var_unserializer.c Mon Jul 9 14:33:37 2007
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: var_unserializer.c,v 1.87 2007/07/09 13:43:50 dmitry Exp $ */
+/* $Id: var_unserializer.c,v 1.88 2007/07/09 14:33:37 dmitry Exp $ */
#include "php.h"
#include "ext/standard/php_var.h"
@@ -112,18 +112,22 @@
return ustr;
}
-static char *unserialize_str(const unsigned char **p, int *len)
+static char *unserialize_str(const unsigned char **p, size_t *len, size_t
maxlen)
{
size_t i, j;
char *str = safe_emalloc(*len, 1, 1);
- unsigned char *end = *(unsigned char **)p+*len;
+ unsigned char *end = *(unsigned char **)p+maxlen;
if(end < *p) {
efree(str);
return NULL;
}
- for (i = 0; i < *len && *p < end; i++) {
+ for (i = 0; i < *len; i++) {
+ if (*p >= end) {
+ efree(str);
+ return NULL;
+ }
if (**p != '\\') {
str[i] = (char)**p;
} else {
@@ -142,7 +146,6 @@
return NULL;
}
}
- end += 2;
str[i] = (char)ch;
}
(*p)++;
@@ -866,7 +869,7 @@
return 0;
}
- if ((str = unserialize_str(&YYCURSOR, &len)) == NULL) {
+ if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) {
return 0;
}
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/var_unserializer.re?r1=1.65&r2=1.66&diff_format=u
Index: php-src/ext/standard/var_unserializer.re
diff -u php-src/ext/standard/var_unserializer.re:1.65
php-src/ext/standard/var_unserializer.re:1.66
--- php-src/ext/standard/var_unserializer.re:1.65 Mon Jul 9 13:43:50 2007
+++ php-src/ext/standard/var_unserializer.re Mon Jul 9 14:33:37 2007
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: var_unserializer.re,v 1.65 2007/07/09 13:43:50 dmitry Exp $ */
+/* $Id: var_unserializer.re,v 1.66 2007/07/09 14:33:37 dmitry Exp $ */
#include "php.h"
#include "ext/standard/php_var.h"
@@ -110,18 +110,22 @@
return ustr;
}
-static char *unserialize_str(const unsigned char **p, int *len)
+static char *unserialize_str(const unsigned char **p, size_t *len, size_t
maxlen)
{
size_t i, j;
char *str = safe_emalloc(*len, 1, 1);
- unsigned char *end = *(unsigned char **)p+*len;
+ unsigned char *end = *(unsigned char **)p+maxlen;
if(end < *p) {
efree(str);
return NULL;
}
- for (i = 0; i < *len && *p < end; i++) {
+ for (i = 0; i < *len; i++) {
+ if (*p >= end) {
+ efree(str);
+ return NULL;
+ }
if (**p != '\\') {
str[i] = (char)**p;
} else {
@@ -140,7 +144,6 @@
return NULL;
}
}
- end += 2;
str[i] = (char)ch;
}
(*p)++;
@@ -578,7 +581,7 @@
return 0;
}
- if ((str = unserialize_str(&YYCURSOR, &len)) == NULL) {
+ if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) {
return 0;
}
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/serialize/unserializeS.phpt?r1=1.2&r2=1.3&diff_format=u
Index: php-src/ext/standard/tests/serialize/unserializeS.phpt
diff -u php-src/ext/standard/tests/serialize/unserializeS.phpt:1.2
php-src/ext/standard/tests/serialize/unserializeS.phpt:1.3
--- php-src/ext/standard/tests/serialize/unserializeS.phpt:1.2 Fri Mar 23
20:34:11 2007
+++ php-src/ext/standard/tests/serialize/unserializeS.phpt Mon Jul 9
14:33:37 2007
@@ -11,4 +11,4 @@
var_dump($data);
--EXPECT--
-string(100)
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+bool(false)
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
