Fixed buffer outflow during deserialization of objects

Issue manifests itself when using alternative serializers (igbinary)

Author: asp24

src/php/objects/php_deque.c

@@ -63,7 +63,7 @@ int php_ds_deque_unserialize(zval *object, zend_class_entry *ce, const unsigned
 
     PHP_VAR_UNSERIALIZE_INIT(unserialize_data);
 
-    while (*pos != '}') {
+    while (pos != end) {
         zval *value = var_tmp_var(&unserialize_data);
 
         if ( ! php_var_unserialize(value, &pos, end, &unserialize_data)) {

src/php/objects/php_priority_queue.c

@@ -78,7 +78,7 @@ int php_ds_priority_queue_unserialize(zval *object, zend_class_entry *ce, const
     PHP_VAR_UNSERIALIZE_INIT(unserialize_data);
     ZVAL_DS_PRIORITY_QUEUE(object, queue);
 
-    while (*pos != '}') {
+    while (pos != end) {
         zval *value, *priority;
 
         value = var_tmp_var(&unserialize_data);

src/php/objects/php_queue.c

@@ -64,7 +64,7 @@ int php_ds_queue_unserialize(zval *object, zend_class_entry *ce, const unsigned
 
     PHP_VAR_UNSERIALIZE_INIT(unserialize_data);
 
-    while (*pos != '}') {
+    while (pos != end) {
         zval *value = var_tmp_var(&unserialize_data);
 
         if ( ! php_var_unserialize(value, &pos, end, &unserialize_data)) {

src/php/objects/php_set.c

@@ -64,7 +64,7 @@ int php_ds_set_unserialize(zval *object, zend_class_entry *ce, const unsigned ch
     PHP_VAR_UNSERIALIZE_INIT(unserialize_data);
     ZVAL_DS_SET(object, set);
 
-    while (*pos != '}') {
+    while (pos != end) {
         zval *value = var_tmp_var(&unserialize_data);
 
         if ( ! php_var_unserialize(value, &pos, end, &unserialize_data)) {
@@ -74,10 +74,6 @@ int php_ds_set_unserialize(zval *object, zend_class_entry *ce, const unsigned ch
         ds_set_add(set, value);
     }
 
-    if (pos != end) {
-        goto error;
-    }
-
     PHP_VAR_UNSERIALIZE_DESTROY(unserialize_data);
     return SUCCESS;
 

src/php/objects/php_stack.c

@@ -63,7 +63,7 @@ int php_ds_stack_unserialize(zval *object, zend_class_entry *ce, const unsigned
 
     PHP_VAR_UNSERIALIZE_INIT(unserialize_data);
 
-    while (*pos != '}') {
+    while (pos != end) {
         zval *value = var_tmp_var(&unserialize_data);
 
         if ( ! php_var_unserialize(value, &pos, end, &unserialize_data)) {
@@ -73,10 +73,6 @@ int php_ds_stack_unserialize(zval *object, zend_class_entry *ce, const unsigned
         ds_stack_push(stack, value);
     }
 
-    if (pos != end) {
-        goto error;
-    }
-
     ZVAL_DS_STACK(object, stack);
     PHP_VAR_UNSERIALIZE_DESTROY(unserialize_data);
     return SUCCESS;

src/php/objects/php_vector.c

@@ -63,7 +63,7 @@ int php_ds_vector_unserialize(zval *obj, zend_class_entry *ce, const unsigned ch
 
     PHP_VAR_UNSERIALIZE_INIT(unserialize_data);
 
-    while (*pos != '}') {
+    while (pos != end) {
         zval *value = var_tmp_var(&unserialize_data);
 
         if ( ! php_var_unserialize(value, &pos, end, &unserialize_data)) {