Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix bug #73029 - Missing type check when unserializing SplArray
  • Loading branch information
smalyshev committed Sep 13, 2016
1 parent b88393f commit ecb7f58
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 2 deletions.
6 changes: 4 additions & 2 deletions ext/spl/spl_array.c
Expand Up @@ -308,7 +308,7 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object,
long index;
HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);

if (!offset) {
if (!offset || !ht) {
return &EG(uninitialized_zval_ptr);
}

Expand Down Expand Up @@ -1810,7 +1810,9 @@ SPL_METHOD(Array, unserialize)
intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK;
zval_ptr_dtor(&intern->array);
ALLOC_INIT_ZVAL(intern->array);
if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)
|| (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) {
zval_ptr_dtor(&intern->array);
goto outexcept;
}
var_push_dtor(&var_hash, &intern->array);
Expand Down
16 changes: 16 additions & 0 deletions ext/spl/tests/bug73029.phpt
@@ -0,0 +1,16 @@
--TEST--
Bug #73029: Missing type check when unserializing SplArray
--FILE--
<?php
try {
$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}';
$m = unserialize($a);
$x = $m[2];
} catch(UnexpectedValueException $e) {
print $e->getMessage() . "\n";
}
?>
DONE
--EXPECTF--
Error at offset 10 of 19 bytes
DONE

0 comments on commit ecb7f58

Please sign in to comment.