Skip to content

Commit e793a2a

Browse files
rtheunissenrtheunissen
authored
Merge pull request #111 from code-tool/unserialize-fixes
Fixed buffer outflow during deserialization of objects
2 parents f3989cb + e39fe16 commit e793a2a

File tree

6 files changed

+6
-30
lines changed

6 files changed

+6
-30
lines changed

src/php/objects/php_deque.c

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ int php_ds_deque_unserialize(zval *object, zend_class_entry *ce, const unsigned
6363

6464
PHP_VAR_UNSERIALIZE_INIT(unserialize_data);
6565

66-
while (*pos != '}') {
66+
while (pos != end) {
6767
zval *value = var_tmp_var(&unserialize_data);
6868

6969
if ( ! php_var_unserialize(value, &pos, end, &unserialize_data)) {
@@ -73,10 +73,6 @@ int php_ds_deque_unserialize(zval *object, zend_class_entry *ce, const unsigned
7373
ds_deque_push(deque, value);
7474
}
7575

76-
if (pos != end) {
77-
goto error;
78-
}
79-
8076
ZVAL_DS_DEQUE(object, deque);
8177
PHP_VAR_UNSERIALIZE_DESTROY(unserialize_data);
8278
return SUCCESS;

src/php/objects/php_priority_queue.c

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,7 @@ int php_ds_priority_queue_unserialize(zval *object, zend_class_entry *ce, const
7878
PHP_VAR_UNSERIALIZE_INIT(unserialize_data);
7979
ZVAL_DS_PRIORITY_QUEUE(object, queue);
8080

81-
while (*pos != '}') {
81+
while (pos != end) {
8282
zval *value, *priority;
8383

8484
value = var_tmp_var(&unserialize_data);
@@ -98,10 +98,6 @@ int php_ds_priority_queue_unserialize(zval *object, zend_class_entry *ce, const
9898
ds_priority_queue_push(queue, value, Z_LVAL_P(priority));
9999
}
100100

101-
if (pos != end) {
102-
goto error;
103-
}
104-
105101
PHP_VAR_UNSERIALIZE_DESTROY(unserialize_data);
106102
return SUCCESS;
107103

src/php/objects/php_queue.c

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@ int php_ds_queue_unserialize(zval *object, zend_class_entry *ce, const unsigned
6464

6565
PHP_VAR_UNSERIALIZE_INIT(unserialize_data);
6666

67-
while (*pos != '}') {
67+
while (pos != end) {
6868
zval *value = var_tmp_var(&unserialize_data);
6969

7070
if ( ! php_var_unserialize(value, &pos, end, &unserialize_data)) {
@@ -74,10 +74,6 @@ int php_ds_queue_unserialize(zval *object, zend_class_entry *ce, const unsigned
7474
ds_queue_push_one(queue, value);
7575
}
7676

77-
if (pos != end) {
78-
goto error;
79-
}
80-
8177
ZVAL_DS_QUEUE(object, queue);
8278
PHP_VAR_UNSERIALIZE_DESTROY(unserialize_data);
8379
return SUCCESS;

src/php/objects/php_set.c

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@ int php_ds_set_unserialize(zval *object, zend_class_entry *ce, const unsigned ch
6464
PHP_VAR_UNSERIALIZE_INIT(unserialize_data);
6565
ZVAL_DS_SET(object, set);
6666

67-
while (*pos != '}') {
67+
while (pos != end) {
6868
zval *value = var_tmp_var(&unserialize_data);
6969

7070
if ( ! php_var_unserialize(value, &pos, end, &unserialize_data)) {
@@ -74,10 +74,6 @@ int php_ds_set_unserialize(zval *object, zend_class_entry *ce, const unsigned ch
7474
ds_set_add(set, value);
7575
}
7676

77-
if (pos != end) {
78-
goto error;
79-
}
80-
8177
PHP_VAR_UNSERIALIZE_DESTROY(unserialize_data);
8278
return SUCCESS;
8379

src/php/objects/php_stack.c

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ int php_ds_stack_unserialize(zval *object, zend_class_entry *ce, const unsigned
6363

6464
PHP_VAR_UNSERIALIZE_INIT(unserialize_data);
6565

66-
while (*pos != '}') {
66+
while (pos != end) {
6767
zval *value = var_tmp_var(&unserialize_data);
6868

6969
if ( ! php_var_unserialize(value, &pos, end, &unserialize_data)) {
@@ -73,10 +73,6 @@ int php_ds_stack_unserialize(zval *object, zend_class_entry *ce, const unsigned
7373
ds_stack_push(stack, value);
7474
}
7575

76-
if (pos != end) {
77-
goto error;
78-
}
79-
8076
ZVAL_DS_STACK(object, stack);
8177
PHP_VAR_UNSERIALIZE_DESTROY(unserialize_data);
8278
return SUCCESS;

src/php/objects/php_vector.c

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ int php_ds_vector_unserialize(zval *obj, zend_class_entry *ce, const unsigned ch
6363

6464
PHP_VAR_UNSERIALIZE_INIT(unserialize_data);
6565

66-
while (*pos != '}') {
66+
while (pos != end) {
6767
zval *value = var_tmp_var(&unserialize_data);
6868

6969
if ( ! php_var_unserialize(value, &pos, end, &unserialize_data)) {
@@ -73,10 +73,6 @@ int php_ds_vector_unserialize(zval *obj, zend_class_entry *ce, const unsigned ch
7373
ds_vector_push(vector, value);
7474
}
7575

76-
if (pos != end) {
77-
goto error;
78-
}
79-
8076
ZVAL_DS_VECTOR(obj, vector);
8177
PHP_VAR_UNSERIALIZE_DESTROY(unserialize_data);
8278
return SUCCESS;

0 commit comments

Comments
 (0)