Commit: 0b23da1c74c52a819b728c78c66c182511223355 Author: Xinchen Hui <larue...@php.net> Fri, 17 Aug 2012 18:28:32 +0800 Parents: 8ac61a3e60329a10dfc85036ef46d78e53f8de95 Branches: PHP-5.4
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=0b23da1c74c52a819b728c78c66c182511223355 Log: Fixed bug #62836 (Seg fault or broken object references on unserialize()) Bugs: https://bugs.php.net/62836 Changed paths: M NEWS A ext/standard/tests/serialize/bug62836_1.phpt A ext/standard/tests/serialize/bug62836_2.phpt M ext/standard/var_unserializer.c Diff: diff --git a/NEWS b/NEWS index c7fb47f..1142a42 100644 --- a/NEWS +++ b/NEWS @@ -26,6 +26,10 @@ PHP NEWS . Fixed bug (segfault due to PS(mod_user_implemented) not be reseted when close handler call exit). (Laruence) +- Standard: + . Fixed bug #62836 (Seg fault or broken object references on unserialize()). + (Laruence) + ?? ??? 2012, PHP 5.4.6 diff --git a/ext/standard/tests/serialize/bug62836_1.phpt b/ext/standard/tests/serialize/bug62836_1.phpt new file mode 100644 index 0000000..7291046 --- /dev/null +++ b/ext/standard/tests/serialize/bug62836_1.phpt @@ -0,0 +1,34 @@ +--TEST-- +Bug #62836 (Seg fault or broken object references on unserialize()) +--FILE-- +<?php +$serialized_object='O:1:"A":4:{s:1:"b";O:1:"B":0:{}s:2:"b1";r:2;s:1:"c";O:1:"B":0:{}s:2:"c1";r:4;}'; +function __autoload($name) { + unserialize("i:4;"); + eval("class $name {} "); +} + +print_r(unserialize($serialized_object)); +echo "okey"; +?> +--EXPECT-- +A Object +( + [b] => B Object + ( + ) + + [b1] => B Object + ( + ) + + [c] => B Object + ( + ) + + [c1] => B Object + ( + ) + +) +okey diff --git a/ext/standard/tests/serialize/bug62836_2.phpt b/ext/standard/tests/serialize/bug62836_2.phpt new file mode 100644 index 0000000..0634b1d --- /dev/null +++ b/ext/standard/tests/serialize/bug62836_2.phpt @@ -0,0 +1,37 @@ +--TEST-- +Bug #62836 (Seg fault or broken object references on unserialize()) +--FILE-- +<?php +$serialized_object='O:1:"A":4:{s:1:"b";O:1:"B":0:{}s:2:"b1";r:2;s:1:"c";O:1:"B":0:{}s:2:"c1";r:4;}'; + +ini_set('unserialize_callback_func','mycallback'); + +function mycallback($classname) { + unserialize("i:4;"); + eval ("class $classname {} "); +} + +print_r(unserialize($serialized_object)); +echo "okey"; +?> +--EXPECT-- +A Object +( + [b] => B Object + ( + ) + + [b1] => B Object + ( + ) + + [c] => B Object + ( + ) + + [c1] => B Object + ( + ) + +) +okey diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index e1ac636..2537c52 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -620,10 +620,13 @@ yy20: do { /* Try to find class directly */ + BG(serialize_lock) = 1; if (zend_lookup_class(class_name, len2, &pce TSRMLS_CC) == SUCCESS) { + BG(serialize_lock) = 0; ce = *pce; break; } + BG(serialize_lock) = 0; /* Check for unserialize callback */ if ((PG(unserialize_callback_func) == NULL) || (PG(unserialize_callback_func)[0] == '\0')) { @@ -638,7 +641,9 @@ yy20: args[0] = &arg_func_name; MAKE_STD_ZVAL(arg_func_name); ZVAL_STRING(arg_func_name, class_name, 1); + BG(serialize_lock) = 1; if (call_user_function_ex(CG(function_table), NULL, user_func, &retval_ptr, 1, args, 0, NULL TSRMLS_CC) != SUCCESS) { + BG(serialize_lock) = 0; php_error_docref(NULL TSRMLS_CC, E_WARNING, "defined (%s) but not found", user_func->value.str.val); incomplete_class = 1; ce = PHP_IC_ENTRY; @@ -646,6 +651,7 @@ yy20: zval_ptr_dtor(&arg_func_name); break; } + BG(serialize_lock) = 0; if (retval_ptr) { zval_ptr_dtor(&retval_ptr); } -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php