Patch overflow-fix for Reproducible crash Bug #68044
Patch version 2014-09-28 21:26 UTC
Return to Bug #68044 |
Download this patch
Patch Revisions:
Developer: stas@php.net
commit 98ddf8502ef79a5e29b6c0fc81fd145353f48955
Author: Stanislav Malyshev <stas@php.net>
Date: Sun Sep 28 14:19:31 2014 -0700
Fixed bug #68044: Integer overflow in unserialize() (32-bits only)
diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt
new file mode 100644
index 0000000..031e44e
--- /dev/null
+++ b/ext/standard/tests/serialize/bug68044.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #68044 Integer overflow in unserialize() (32-bits only)
+--FILE--
+<?php
+ echo unserialize('C:3:"XYZ":18446744075857035259:{}');
+?>
+===DONE==
+--EXPECTF--
+Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2
+
+Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2
+===DONE==
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index 657051f..8129da3 100644
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -1,4 +1,4 @@
-/* Generated by re2c 0.13.5 on Sat Jun 21 21:27:56 2014 */
+/* Generated by re2c 0.13.5 */
#line 1 "ext/standard/var_unserializer.re"
/*
+----------------------------------------------------------------------+
@@ -372,7 +372,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
(*p) += 2;
- if (datalen < 0 || (*p) + datalen >= max) {
+ if (datalen < 0 || (max - (*p)) <= datalen) {
zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
return 0;
}
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 1307508..6de1583 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -376,7 +376,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
(*p) += 2;
- if (datalen < 0 || (*p) + datalen >= max) {
+ if (datalen < 0 || (max - (*p)) <= datalen) {
zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
return 0;
}
|
Copyright © 2001-2024 The PHP Group