Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize)

laruence · laruence · commit caebb76131ff · 2015-03-01T23:16:15.000+08:00
diff --git a/NEWS b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2015, PHP 5.5.23
 
 - Core:
+  . Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize).
+    (Laruence)
   . Fixed bug #69121 (Segfault in get_current_user when script owner is not
     in passwd with ZTS build). (dan at syneto dot net)
   . Fixed bug #65593 (Segfault when calling ob_start from output buffering 
diff --git a/ext/standard/tests/serialize/bug69139.phpt b/ext/standard/tests/serialize/bug69139.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #69139 (Crash in gc_zval_possible_root on unserialize)
+--FILE--
+<?php
+$str = 'a:1126666:{i:0;r:1;i:-09610;r:1;i:-0;i:0;i:0;O:1:"A":2119X:i:0;i:0;i:0;i:0;i:0;O:1:"A":2116:{i:0;r:5;i:-096766610;r:1;i:-610;r:1;i:0;i:0;';
+@unserialize($str);
+echo "Alive";
+?>
+--EXPECT--
+Alive
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
@@ -1,4 +1,4 @@
-/* Generated by re2c 0.13.7.5 on Thu Jan  1 14:43:18 2015 */
+/* Generated by re2c 0.13.5 */
 #line 1 "ext/standard/var_unserializer.re"
 /*
   +----------------------------------------------------------------------+
@@ -320,8 +320,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 		if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) {
 			zval_dtor(key);
 			FREE_ZVAL(key);
-			zval_dtor(data);
-			FREE_ZVAL(data);
+			zval_ptr_dtor(&data);
 			return 0;
 		}
 
@@ -483,7 +482,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	
 	
 
-#line 487 "ext/standard/var_unserializer.c"
+#line 486 "ext/standard/var_unserializer.c"
 {
 	YYCTYPE yych;
 	static const unsigned char yybm[] = {
@@ -543,9 +542,9 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *(YYMARKER = ++YYCURSOR);
 	if (yych == ':') goto yy95;
 yy3:
-#line 838 "ext/standard/var_unserializer.re"
+#line 837 "ext/standard/var_unserializer.re"
 	{ return 0; }
-#line 549 "ext/standard/var_unserializer.c"
+#line 548 "ext/standard/var_unserializer.c"
 yy4:
 	yych = *(YYMARKER = ++YYCURSOR);
 	if (yych == ':') goto yy89;
@@ -588,13 +587,13 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	goto yy3;
 yy14:
 	++YYCURSOR;
-#line 832 "ext/standard/var_unserializer.re"
+#line 831 "ext/standard/var_unserializer.re"
 	{
 	/* this is the case where we have less data than planned */
 	php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
 	return 0; /* not sure if it should be 0 or 1 here? */
 }
-#line 598 "ext/standard/var_unserializer.c"
+#line 597 "ext/standard/var_unserializer.c"
 yy16:
 	yych = *++YYCURSOR;
 	goto yy3;
@@ -620,12 +619,11 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	if (yybm[0+yych] & 128) {
 		goto yy20;
 	}
-	if (yych <= '/') goto yy18;
-	if (yych >= ';') goto yy18;
+	if (yych != ':') goto yy18;
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 686 "ext/standard/var_unserializer.re"
+#line 685 "ext/standard/var_unserializer.re"
 	{
 	size_t len, len2, len3, maxlen;
 	long elements;
@@ -771,7 +769,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 
 	return object_common2(UNSERIALIZE_PASSTHRU, elements);
 }
-#line 775 "ext/standard/var_unserializer.c"
+#line 773 "ext/standard/var_unserializer.c"
 yy25:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -796,15 +794,15 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 678 "ext/standard/var_unserializer.re"
+#line 677 "ext/standard/var_unserializer.re"
 	{
 
 	INIT_PZVAL(*rval);
 	
 	return object_common2(UNSERIALIZE_PASSTHRU,
 			object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
 }
-#line 808 "ext/standard/var_unserializer.c"
+#line 806 "ext/standard/var_unserializer.c"
 yy32:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy33;
@@ -825,7 +823,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *++YYCURSOR;
 	if (yych != '{') goto yy18;
 	++YYCURSOR;
-#line 658 "ext/standard/var_unserializer.re"
+#line 657 "ext/standard/var_unserializer.re"
 	{
 	long elements = parse_iv(start + 2);
 	/* use iv() not uiv() in order to check data range */
@@ -845,7 +843,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 
 	return finish_nested_data(UNSERIALIZE_PASSTHRU);
 }
-#line 849 "ext/standard/var_unserializer.c"
+#line 847 "ext/standard/var_unserializer.c"
 yy39:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy40;
@@ -866,7 +864,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 629 "ext/standard/var_unserializer.re"
+#line 628 "ext/standard/var_unserializer.re"
 	{
 	size_t len, maxlen;
 	char *str;
@@ -895,7 +893,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	ZVAL_STRINGL(*rval, str, len, 0);
 	return 1;
 }
-#line 899 "ext/standard/var_unserializer.c"
+#line 897 "ext/standard/var_unserializer.c"
 yy46:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy47;
@@ -916,7 +914,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 601 "ext/standard/var_unserializer.re"
+#line 600 "ext/standard/var_unserializer.re"
 	{
 	size_t len, maxlen;
 	char *str;
@@ -944,7 +942,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	ZVAL_STRINGL(*rval, str, len, 1);
 	return 1;
 }
-#line 948 "ext/standard/var_unserializer.c"
+#line 946 "ext/standard/var_unserializer.c"
 yy53:
 	yych = *++YYCURSOR;
 	if (yych <= '/') {
@@ -1032,7 +1030,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	}
 yy63:
 	++YYCURSOR;
-#line 591 "ext/standard/var_unserializer.re"
+#line 590 "ext/standard/var_unserializer.re"
 	{
 #if SIZEOF_LONG == 4
 use_double:
@@ -1042,7 +1040,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
 	return 1;
 }
-#line 1046 "ext/standard/var_unserializer.c"
+#line 1044 "ext/standard/var_unserializer.c"
 yy65:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1101,7 +1099,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *++YYCURSOR;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 576 "ext/standard/var_unserializer.re"
+#line 575 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
@@ -1116,7 +1114,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 
 	return 1;
 }
-#line 1120 "ext/standard/var_unserializer.c"
+#line 1118 "ext/standard/var_unserializer.c"
 yy76:
 	yych = *++YYCURSOR;
 	if (yych == 'N') goto yy73;
@@ -1143,7 +1141,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	if (yych <= '9') goto yy79;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 549 "ext/standard/var_unserializer.re"
+#line 548 "ext/standard/var_unserializer.re"
 	{
 #if SIZEOF_LONG == 4
 	int digits = YYCURSOR - start - 3;
@@ -1170,32 +1168,32 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	ZVAL_LONG(*rval, parse_iv(start + 2));
 	return 1;
 }
-#line 1174 "ext/standard/var_unserializer.c"
+#line 1172 "ext/standard/var_unserializer.c"
 yy83:
 	yych = *++YYCURSOR;
 	if (yych <= '/') goto yy18;
 	if (yych >= '2') goto yy18;
 	yych = *++YYCURSOR;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 542 "ext/standard/var_unserializer.re"
+#line 541 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
 	ZVAL_BOOL(*rval, parse_iv(start + 2));
 	return 1;
 }
-#line 1189 "ext/standard/var_unserializer.c"
+#line 1187 "ext/standard/var_unserializer.c"
 yy87:
 	++YYCURSOR;
-#line 535 "ext/standard/var_unserializer.re"
+#line 534 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
 	ZVAL_NULL(*rval);
 	return 1;
 }
-#line 1199 "ext/standard/var_unserializer.c"
+#line 1197 "ext/standard/var_unserializer.c"
 yy89:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1218,7 +1216,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	if (yych <= '9') goto yy91;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 512 "ext/standard/var_unserializer.re"
+#line 511 "ext/standard/var_unserializer.re"
 	{
 	long id;
 
@@ -1241,7 +1239,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	
 	return 1;
 }
-#line 1245 "ext/standard/var_unserializer.c"
+#line 1243 "ext/standard/var_unserializer.c"
 yy95:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1264,7 +1262,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	if (yych <= '9') goto yy97;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 491 "ext/standard/var_unserializer.re"
+#line 490 "ext/standard/var_unserializer.re"
 	{
 	long id;
 
@@ -1285,9 +1283,9 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	
 	return 1;
 }
-#line 1289 "ext/standard/var_unserializer.c"
+#line 1287 "ext/standard/var_unserializer.c"
 }
-#line 840 "ext/standard/var_unserializer.re"
+#line 839 "ext/standard/var_unserializer.re"
 
 
 	return 0;
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
@@ -324,8 +324,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 		if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) {
 			zval_dtor(key);
 			FREE_ZVAL(key);
-			zval_dtor(data);
-			FREE_ZVAL(data);
+			zval_ptr_dtor(&data);
 			return 0;
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -324,8 +324,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long`
`324`	`324`	`if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) {`
`325`	`325`	`zval_dtor(key);`
`326`	`326`	`FREE_ZVAL(key);`
`327`		`- zval_dtor(data);`
`328`		`- FREE_ZVAL(data);`
	`327`	`+ zval_ptr_dtor(&data);`
`329`	`328`	`return 0;`
`330`	`329`	`}`
`331`	`330`