Skip to content

Commit

Permalink
Merge pull request #111 from code-tool/unserialize-fixes
Browse files Browse the repository at this point in the history 
Fixed buffer outflow during deserialization of objects
  • Loading branch information
@rtheunissen
rtheunissen authored Mar 5, 2018
2 parents f3989cb + e39fe16 commit e793a2a
Show file tree
Hide file tree
Showing 6 changed files with 6 additions and 30 deletions.
6 changes: 1 addition & 5 deletions src/php/objects/php_deque.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ int php_ds_deque_unserialize(zval *object, zend_class_entry *ce, const unsigned

PHP_VAR_UNSERIALIZE_INIT(unserialize_data);

while (*pos != '}') {
while (pos != end) {
zval *value = var_tmp_var(&unserialize_data);

if ( ! php_var_unserialize(value, &pos, end, &unserialize_data)) {
Expand All @@ -73,10 +73,6 @@ int php_ds_deque_unserialize(zval *object, zend_class_entry *ce, const unsigned
ds_deque_push(deque, value);
}

if (pos != end) {
goto error;
}

ZVAL_DS_DEQUE(object, deque);
PHP_VAR_UNSERIALIZE_DESTROY(unserialize_data);
return SUCCESS;
Expand Down
6 changes: 1 addition & 5 deletions src/php/objects/php_priority_queue.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ int php_ds_priority_queue_unserialize(zval *object, zend_class_entry *ce, const
PHP_VAR_UNSERIALIZE_INIT(unserialize_data);
ZVAL_DS_PRIORITY_QUEUE(object, queue);

while (*pos != '}') {
while (pos != end) {
zval *value, *priority;

value = var_tmp_var(&unserialize_data);
Expand All @@ -98,10 +98,6 @@ int php_ds_priority_queue_unserialize(zval *object, zend_class_entry *ce, const
ds_priority_queue_push(queue, value, Z_LVAL_P(priority));
}

if (pos != end) {
goto error;
}

PHP_VAR_UNSERIALIZE_DESTROY(unserialize_data);
return SUCCESS;

Expand Down
6 changes: 1 addition & 5 deletions src/php/objects/php_queue.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ int php_ds_queue_unserialize(zval *object, zend_class_entry *ce, const unsigned

PHP_VAR_UNSERIALIZE_INIT(unserialize_data);

while (*pos != '}') {
while (pos != end) {
zval *value = var_tmp_var(&unserialize_data);

if ( ! php_var_unserialize(value, &pos, end, &unserialize_data)) {
Expand All @@ -74,10 +74,6 @@ int php_ds_queue_unserialize(zval *object, zend_class_entry *ce, const unsigned
ds_queue_push_one(queue, value);
}

if (pos != end) {
goto error;
}

ZVAL_DS_QUEUE(object, queue);
PHP_VAR_UNSERIALIZE_DESTROY(unserialize_data);
return SUCCESS;
Expand Down
6 changes: 1 addition & 5 deletions src/php/objects/php_set.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ int php_ds_set_unserialize(zval *object, zend_class_entry *ce, const unsigned ch
PHP_VAR_UNSERIALIZE_INIT(unserialize_data);
ZVAL_DS_SET(object, set);

while (*pos != '}') {
while (pos != end) {
zval *value = var_tmp_var(&unserialize_data);

if ( ! php_var_unserialize(value, &pos, end, &unserialize_data)) {
Expand All @@ -74,10 +74,6 @@ int php_ds_set_unserialize(zval *object, zend_class_entry *ce, const unsigned ch
ds_set_add(set, value);
}

if (pos != end) {
goto error;
}

PHP_VAR_UNSERIALIZE_DESTROY(unserialize_data);
return SUCCESS;

Expand Down
6 changes: 1 addition & 5 deletions src/php/objects/php_stack.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ int php_ds_stack_unserialize(zval *object, zend_class_entry *ce, const unsigned

PHP_VAR_UNSERIALIZE_INIT(unserialize_data);

while (*pos != '}') {
while (pos != end) {
zval *value = var_tmp_var(&unserialize_data);

if ( ! php_var_unserialize(value, &pos, end, &unserialize_data)) {
Expand All @@ -73,10 +73,6 @@ int php_ds_stack_unserialize(zval *object, zend_class_entry *ce, const unsigned
ds_stack_push(stack, value);
}

if (pos != end) {
goto error;
}

ZVAL_DS_STACK(object, stack);
PHP_VAR_UNSERIALIZE_DESTROY(unserialize_data);
return SUCCESS;
Expand Down
6 changes: 1 addition & 5 deletions src/php/objects/php_vector.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ int php_ds_vector_unserialize(zval *obj, zend_class_entry *ce, const unsigned ch

PHP_VAR_UNSERIALIZE_INIT(unserialize_data);

while (*pos != '}') {
while (pos != end) {
zval *value = var_tmp_var(&unserialize_data);

if ( ! php_var_unserialize(value, &pos, end, &unserialize_data)) {
Expand All @@ -73,10 +73,6 @@ int php_ds_vector_unserialize(zval *obj, zend_class_entry *ce, const unsigned ch
ds_vector_push(vector, value);
}

if (pos != end) {
goto error;
}

ZVAL_DS_VECTOR(obj, vector);
PHP_VAR_UNSERIALIZE_DESTROY(unserialize_data);
return SUCCESS;
Expand Down

0 comments on commit e793a2a

Please sign in to comment.