Fixed bug #68976 - Use After Free Vulnerability in unserialize()

php · Mar 17, 2015 · 780222f · 780222f
1 parent 38e15d8
commit 780222f
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
@@ -396,6 +396,8 @@ string_key:
 			return 0;
 		}
 
+		var_push_dtor(var_hash, data);
+
 		if (elements && *(*p-1) != ';' && *(*p-1) != '}') {
 			(*p)--;
 			return 0;