Fixed bug #37947 (zend_ptr_stack reallocation problem)

2025-08-18 06:58:55 +02:00 · 2006-07-10 14:02:40 +00:00 · 2006-07-10 14:02:40 +00:00 · 83ac79600e
commit 83ac79600e
parent d9d23050d1
3 changed files with 40 additions and 22 deletions
--- a/1
+++ b/1
@ -90,6 +90,7 @@ PHP                                                                        NEWS
 - Fixed bug #38003 (in classes inherited from MySQLi it's possible to call 
  private constructors from invalid context). (Tony)
 - Fixed bug #37987 (invalid return of file_exists() in safe mode). (Ilia)
+- Fixed bug #37947 (zend_ptr_stack reallocation problem). (Dmitry)
 - Fixed bug #37931 (possible crash in OCI8 after database restart 
  when using persistent connections). (Tony)
 - Fixed bug #37920 (compilation problems on z/OS). (Tony)
--- a/ext/standard/tests/serialize/bug37947.phpt
+++ b/ext/standard/tests/serialize/bug37947.phpt
@ -0,0 +1,21 @@
+--TEST--
+Bug #37947 (zend_ptr_stack reallocation problem)
+--INI--
+error_reporting=0
+--FILE--
+<?
+class test {
+        function extend_zend_ptr_stack($count,$a,$b,$c,$d,$e) {
+                if ($count>0) $this->extend_zend_ptr_stack($count -
+1,$a,$b,$c,$d,$e);
+        }
+
+        function __wakeup() {
+                $this->extend_zend_ptr_stack(10,'a','b','c','d','e');
+        }
+}
+
+$str='a:2:{i:0;O:4:"test":0:{}junk';
+var_dump(unserialize($str));
+--EXPECT--
+bool(false)
--- a/ext/standard/var.c
+++ b/ext/standard/var.c
@ -881,32 +881,28 @@ PHP_FUNCTION(serialize)

 PHP_FUNCTION(unserialize)
 {
-	zval **buf;
+	char *buf;
+	int buf_len;
+	const unsigned char *p;
 	php_unserialize_data_t var_hash;
 	
-	if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &buf) == FAILURE) {
-		WRONG_PARAM_COUNT;
-	}
-
-	if (Z_TYPE_PP(buf) == IS_STRING) {
-		const unsigned char *p = (unsigned char*)Z_STRVAL_PP(buf);
-
-		if (Z_STRLEN_PP(buf) == 0) {
-			RETURN_FALSE;
-		}
-
-		PHP_VAR_UNSERIALIZE_INIT(var_hash);
-		if (!php_var_unserialize(&return_value, &p, p + Z_STRLEN_PP(buf),  &var_hash TSRMLS_CC)) {
-			PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
-			zval_dtor(return_value);
-			php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Error at offset %ld of %d bytes", (long)((char*)p - Z_STRVAL_PP(buf)), Z_STRLEN_PP(buf));
-			RETURN_FALSE;
-		}
-		PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
-	} else {
-		php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Argument is not a string");
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
 		RETURN_FALSE;
 	}
+
+	if (buf_len == 0) {
+		RETURN_FALSE;
+	}
+
+	p = (const unsigned char*)buf;
+	PHP_VAR_UNSERIALIZE_INIT(var_hash);
+	if (!php_var_unserialize(&return_value, &p, p + buf_len,  &var_hash TSRMLS_CC)) {
+		PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+		zval_dtor(return_value);
+		php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len);
+		RETURN_FALSE;
+	}
+	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
 }

 /* }}} */