File tree Expand file tree Collapse file tree 3 files changed +17
-9
lines changed Expand file tree Collapse file tree 3 files changed +17
-9
lines changed Original file line number Diff line number Diff line change @@ -11,4 +11,4 @@ $data = unserialize($str);
1111var_dump ($ data
1212
1313--EXPECT --
14- string ( 100 ) " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "
14+ bool ( false )
Original file line number Diff line number Diff line change @@ -140,18 +140,22 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
140140
141141/* }}} */
142142
143- static char * unserialize_str (const unsigned char * * p , size_t * len )
143+ static char * unserialize_str (const unsigned char * * p , size_t * len , size_t maxlen )
144144{
145145 size_t i , j ;
146146 char * str = safe_emalloc (* len , 1 , 1 );
147- unsigned char * end = * (unsigned char * * )p + * len ;
147+ unsigned char * end = * (unsigned char * * )p + maxlen ;
148148
149149 if (end < * p ) {
150150 efree (str );
151151 return NULL ;
152152 }
153153
154- for (i = 0 ; i < * len && * p < end ; i ++ ) {
154+ for (i = 0 ; i < * len ; i ++ ) {
155+ if (* p >= end ) {
156+ efree (str );
157+ return NULL ;
158+ }
155159 if (* * p != '\\' ) {
156160 str [i ] = (char )* * p ;
157161 } else {
@@ -757,7 +761,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
757761 return 0 ;
758762 }
759763
760- if ((str = unserialize_str (& YYCURSOR , & len )) == NULL ) {
764+ if ((str = unserialize_str (& YYCURSOR , & len , maxlen )) == NULL ) {
761765 return 0 ;
762766 }
763767
Original file line number Diff line number Diff line change @@ -138,18 +138,22 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
138138
139139/* }}} */
140140
141- static char *unserialize_str (const unsigned char **p, size_t *len)
141+ static char *unserialize_str (const unsigned char **p, size_t *len, size_t maxlen )
142142{
143143 size_t i, j;
144144 char *str = safe_emalloc (*len, 1 , 1 );
145- unsigned char *end = *(unsigned char **)p+*len ;
145+ unsigned char *end = *(unsigned char **)p+maxlen ;
146146
147147 if (end < *p) {
148148 efree (str);
149149 return NULL ;
150150 }
151151
152- for (i = 0 ; i < *len && *p < end; i++) {
152+ for (i = 0 ; i < *len; i++) {
153+ if (*p >= end) {
154+ efree (str);
155+ return NULL ;
156+ }
153157 if (**p != ' \\ '
154158 str[i] = (char )**p;
155159 } else {
@@ -525,7 +529,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
525529 return 0;
526530 }
527531
528- if ((str = unserialize_str(&YYCURSOR, &len)) == NULL) {
532+ if ((str = unserialize_str(&YYCURSOR, &len, maxlen )) == NULL) {
529533 return 0;
530534 }
531535
You can’t perform that action at this time.
0 commit comments