Unserialize: Warn if extra data is appended to the serialized string

TimWolla · TimWolla · commit 99c60199372f · 2022-09-28T18:22:39.000+02:00
diff --git a/ext/standard/tests/serialize/typed_property_ref_overwrite.phpt b/ext/standard/tests/serialize/typed_property_ref_overwrite.phpt
@@ -7,7 +7,7 @@ class Test {
     public ?object $prop;
 }
 $s = <<<'STR'
-O:4:"Test":2:{s:4:"prop";R:1;s:4:"prop";N;}}
+O:4:"Test":2:{s:4:"prop";R:1;s:4:"prop";N;}
 STR;
 var_dump(unserialize($s));
 
diff --git a/ext/standard/tests/serialize/unserialize_extra_data.phpt b/ext/standard/tests/serialize/unserialize_extra_data.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Extra data at the end of a valid value
+--FILE--
+<?php
+
+var_dump(unserialize('i:5;i:6;'));
+var_dump(unserialize('N;i:6;'));
+var_dump(unserialize('b:1;i:6;'));
+var_dump(unserialize('a:1:{s:3:"foo";b:1;}i:6;'));
+
+?>
+--EXPECTF--
+Warning: unserialize(): Extra data starting at offset 4 of 8 bytes in %s on line %d
+int(5)
+
+Warning: unserialize(): Extra data starting at offset 2 of 6 bytes in %s on line %d
+NULL
+
+Warning: unserialize(): Extra data starting at offset 4 of 8 bytes in %s on line %d
+bool(true)
+
+Warning: unserialize(): Extra data starting at offset 20 of 24 bytes in %s on line %d
+array(1) {
+  ["foo"]=>
+  bool(true)
+}
diff --git a/ext/standard/var.c b/ext/standard/var.c
@@ -1406,6 +1406,11 @@ PHPAPI void php_unserialize_with_options(zval *return_value, const char *buf, co
 			zval_ptr_dtor(return_value);
 		}
 		RETVAL_FALSE;
+	} else if ((char*)p < buf + buf_len) {
+		if (!EG(exception)) {
+			php_error_docref(NULL, E_WARNING, "Extra data starting at offset " ZEND_LONG_FMT " of %zd bytes",
+				(zend_long)((char*)p - buf), buf_len);
+		}
 	} else if (BG(unserialize).level > 1) {
 		ZVAL_COPY(return_value, retval);
 	} else if (Z_REFCOUNTED_P(return_value)) {

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ class Test {`
`7`	`7`	`public ?object $prop;`
`8`	`8`	`}`
`9`	`9`	`$s = <<<'STR'`
`10`		`-O:4:"Test":2:{s:4:"prop";R:1;s:4:"prop";N;}}`
	`10`	`+O:4:"Test":2:{s:4:"prop";R:1;s:4:"prop";N;}`
`11`	`11`	`STR;`
`12`	`12`	`var_dump(unserialize($s));`
`13`	`13`