Fix bug #67492: unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion

smalyshev · smalyshev · commit b03993dde90b · 2014-06-24T10:29:26.000-07:00
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
@@ -1804,7 +1804,7 @@ SPL_METHOD(Array, unserialize)
 	++p;
 
 	ALLOC_INIT_ZVAL(pmembers);
-	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
 		zval_ptr_dtor(&pmembers);
 		goto outexcept;
 	}
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
@@ -914,7 +914,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
 	++p;
 
 	ALLOC_INIT_ZVAL(pmembers);
-	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
 		zval_ptr_dtor(&pmembers);
 		goto outexcept;
 	}
diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
@@ -7,6 +7,7 @@ $badblobs = array(
 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',
 );
 foreach($badblobs as $blob) {
 try {
@@ -17,6 +18,7 @@ try {
 	echo $e->getMessage()."\n";
 }
 }
+echo "DONE\n";
 --EXPECTF--
 Error at offset 6 of 34 bytes
 Error at offset 46 of 89 bytes
@@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) {
     }
   }
 }
-
+Error at offset 79 of 78 bytes
+DONE

Original file line number	Diff line number	Diff line change
`@@ -1804,7 +1804,7 @@ SPL_METHOD(Array, unserialize)`
`1804`	`1804`	`++p;`
`1805`	`1805`
`1806`	`1806`	`ALLOC_INIT_ZVAL(pmembers);`
`1807`		`- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {`
	`1807`	`+ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) \|\| Z_TYPE_P(pmembers) != IS_ARRAY) {`
`1808`	`1808`	`zval_ptr_dtor(&pmembers);`
`1809`	`1809`	`goto outexcept;`
`1810`	`1810`	`}`
Original file line number	Diff line number	Diff line change
`@@ -914,7 +914,7 @@ SPL_METHOD(SplObjectStorage, unserialize)`
`914`	`914`	`++p;`
`915`	`915`
`916`	`916`	`ALLOC_INIT_ZVAL(pmembers);`
`917`		`- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {`
	`917`	`+ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) \|\| Z_TYPE_P(pmembers) != IS_ARRAY) {`
`918`	`918`	`zval_ptr_dtor(&pmembers);`
`919`	`919`	`goto outexcept;`
`920`	`920`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ $badblobs = array(`
`7`	`7`	`'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',`
`8`	`8`	`'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',`
`9`	`9`	`'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',`
	`10`	`+'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',`
`10`	`11`	`);`
`11`	`12`	`foreach($badblobs as $blob) {`
`12`	`13`	`try {`
`@@ -17,6 +18,7 @@ try {`
`17`	`18`	`echo $e->getMessage()."\n";`
`18`	`19`	`}`
`19`	`20`	`}`
	`21`	`+echo "DONE\n";`
`20`	`22`	`--EXPECTF--`
`21`	`23`	`Error at offset 6 of 34 bytes`
`22`	`24`	`Error at offset 46 of 89 bytes`
`@@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) {`
`42`	`44`	`}`
`43`	`45`	`}`
`44`	`46`	`}`
`45`		`-`
	`47`	`+Error at offset 79 of 78 bytes`
	`48`	`+DONE`