[PHP-CVS] cvs: php-src(PHP_5_2) /ext/standard var_unserializer.c var_unserializer.re /ext/standard/tests/serialize unserializeS.phpt
dmitry Mon Jul 9 14:31:56 2007 UTC
Modified files: (Branch: PHP_5_2)
/php-src/ext/standard var_unserializer.c var_unserializer.re
/php-src/ext/standard/tests/serialize unserializeS.phpt
Log:
Proper fix for MOPB-29
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/var_unserializer.c?r1=1.70.2.4.2.5r2=1.70.2.4.2.6diff_format=u
Index: php-src/ext/standard/var_unserializer.c
diff -u php-src/ext/standard/var_unserializer.c:1.70.2.4.2.5
php-src/ext/standard/var_unserializer.c:1.70.2.4.2.6
--- php-src/ext/standard/var_unserializer.c:1.70.2.4.2.5Tue Mar 27
09:29:10 2007
+++ php-src/ext/standard/var_unserializer.c Mon Jul 9 14:31:56 2007
@@ -18,7 +18,7 @@
+--+
*/
-/* $Id: var_unserializer.c,v 1.70.2.4.2.5 2007/03/27 09:29:10 tony2001 Exp $ */
+/* $Id: var_unserializer.c,v 1.70.2.4.2.6 2007/07/09 14:31:56 dmitry Exp $ */
#include php.h
#include ext/standard/php_var.h
@@ -140,18 +140,22 @@
/* }}} */
-static char *unserialize_str(const unsigned char **p, size_t *len)
+static char *unserialize_str(const unsigned char **p, size_t *len, size_t
maxlen)
{
size_t i, j;
char *str = safe_emalloc(*len, 1, 1);
- unsigned char *end = *(unsigned char **)p+*len;
+ unsigned char *end = *(unsigned char **)p+maxlen;
if(end *p) {
efree(str);
return NULL;
}
- for (i = 0; i *len *p end; i++) {
+ for (i = 0; i *len; i++) {
+ if (*p = end) {
+ efree(str);
+ return NULL;
+ }
if (**p != '\\') {
str[i] = (char)**p;
} else {
@@ -757,7 +761,7 @@
return 0;
}
- if ((str = unserialize_str(YYCURSOR, len)) == NULL) {
+ if ((str = unserialize_str(YYCURSOR, len, maxlen)) == NULL) {
return 0;
}
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/var_unserializer.re?r1=1.52.2.2.2.3r2=1.52.2.2.2.4diff_format=u
Index: php-src/ext/standard/var_unserializer.re
diff -u php-src/ext/standard/var_unserializer.re:1.52.2.2.2.3
php-src/ext/standard/var_unserializer.re:1.52.2.2.2.4
--- php-src/ext/standard/var_unserializer.re:1.52.2.2.2.3 Tue Mar 27
09:29:10 2007
+++ php-src/ext/standard/var_unserializer.reMon Jul 9 14:31:56 2007
@@ -16,7 +16,7 @@
+--+
*/
-/* $Id: var_unserializer.re,v 1.52.2.2.2.3 2007/03/27 09:29:10 tony2001 Exp $
*/
+/* $Id: var_unserializer.re,v 1.52.2.2.2.4 2007/07/09 14:31:56 dmitry Exp $ */
#include php.h
#include ext/standard/php_var.h
@@ -138,18 +138,22 @@
/* }}} */
-static char *unserialize_str(const unsigned char **p, size_t *len)
+static char *unserialize_str(const unsigned char **p, size_t *len, size_t
maxlen)
{
size_t i, j;
char *str = safe_emalloc(*len, 1, 1);
- unsigned char *end = *(unsigned char **)p+*len;
+ unsigned char *end = *(unsigned char **)p+maxlen;
if(end *p) {
efree(str);
return NULL;
}
- for (i = 0; i *len *p end; i++) {
+ for (i = 0; i *len; i++) {
+ if (*p = end) {
+ efree(str);
+ return NULL;
+ }
if (**p != '\\') {
str[i] = (char)**p;
} else {
@@ -525,7 +529,7 @@
return 0;
}
- if ((str = unserialize_str(YYCURSOR, len)) == NULL) {
+ if ((str = unserialize_str(YYCURSOR, len, maxlen)) == NULL) {
return 0;
}
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/serialize/unserializeS.phpt?r1=1.1.2.1r2=1.1.2.2diff_format=u
Index: php-src/ext/standard/tests/serialize/unserializeS.phpt
diff -u php-src/ext/standard/tests/serialize/unserializeS.phpt:1.1.2.1
php-src/ext/standard/tests/serialize/unserializeS.phpt:1.1.2.2
--- php-src/ext/standard/tests/serialize/unserializeS.phpt:1.1.2.1 Fri Mar
23 20:15:22 2007
+++ php-src/ext/standard/tests/serialize/unserializeS.phpt Mon Jul 9
14:31:56 2007
@@ -11,4 +11,4 @@
var_dump($data);
--EXPECT--
-string(100)
+bool(false)
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] cvs: php-src(PHP_5_2) /ext/standard var_unserializer.c var_unserializer.re /ext/standard/tests/serialize unserializeS.phpt
stasFri Mar 23 20:15:22 2007 UTC
Added files: (Branch: PHP_5_2)
/php-src/ext/standard/tests/serialize unserializeS.phpt
Modified files:
/php-src/ext/standard var_unserializer.c var_unserializer.re
Log:
fix MOPB-29 - unserialize modifier S does not calculate length correctly
# reported by Stefan Esser
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/var_unserializer.c?r1=1.70.2.4.2.2r2=1.70.2.4.2.3diff_format=u
Index: php-src/ext/standard/var_unserializer.c
diff -u php-src/ext/standard/var_unserializer.c:1.70.2.4.2.2
php-src/ext/standard/var_unserializer.c:1.70.2.4.2.3
--- php-src/ext/standard/var_unserializer.c:1.70.2.4.2.2Mon Jan 1
09:36:09 2007
+++ php-src/ext/standard/var_unserializer.c Fri Mar 23 20:15:21 2007
@@ -1,10 +1,10 @@
-/* Generated by re2c 0.9.12 on Thu Dec 14 15:59:31 2006 */
+/* Generated by re2c 0.11.2 on Fri Mar 23 13:13:16 2007 */
#line 1 ext/standard/var_unserializer.re
/*
+--+
| PHP Version 5|
+--+
- | Copyright (c) 1997-2007 The PHP Group|
+ | Copyright (c) 1997-2006 The PHP Group|
+--+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is|
@@ -18,7 +18,7 @@
+--+
*/
-/* $Id: var_unserializer.c,v 1.70.2.4.2.2 2007/01/01 09:36:09 sebastian Exp $
*/
+/* $Id: var_unserializer.c,v 1.70.2.4.2.3 2007/03/23 20:15:21 stas Exp $ */
#include php.h
#include ext/standard/php_var.h
@@ -140,12 +140,18 @@
/* }}} */
-static char *unserialize_str(const unsigned char **p, int len)
+static char *unserialize_str(const unsigned char **p, size_t *len)
{
- int i, j;
- char *str = emalloc(len+1);
+ size_t i, j;
+ char *str = safe_emalloc(*len, 1, 1);
+ unsigned char *end = *p+*len;
- for (i = 0; i len; i++) {
+ if(end *p) {
+ efree(str);
+ return NULL;
+ }
+
+ for (i = 0; i *len *p end; i++) {
if (**p != '\\') {
str[i] = (char)**p;
} else {
@@ -169,6 +175,7 @@
(*p)++;
}
str[i] = 0;
+ *len = i;
return str;
}
@@ -179,7 +186,7 @@
#define YYMARKER marker
-#line 187 ext/standard/var_unserializer.re
+#line 194 ext/standard/var_unserializer.re
@@ -386,53 +393,16 @@
-{
- static unsigned char yybm[] = {
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 128, 128, 128, 128, 128, 128, 128, 128,
- 128, 128, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,
- };
-#line 426 ext/standard/var_unserializer.c
+#line 398 stdout
{
YYCTYPE yych;
- unsigned int yyaccept = 0;
- goto yy0;
- ++YYCURSOR;
-yy0:
+
if((YYLIMIT - YYCURSOR) 7) YYFILL(7);
yych = *YYCURSOR;
- switch(yych){
- case 'C': case 'O': goto yy13;
+ switch(yych) {
+ case 'C':
+ case 'O': goto yy13;
case 'N': goto yy5;
case 'R': goto yy2;
case 'S': goto yy10;
@@ -446,97 +416,150 @@
case '}':
