Skip to content

Commit b29b846

Browse files
nikicnikic
committed
Merge branch 'PHP-7.3' into PHP-7.4
2 parents c8359fc + 74876f0 commit b29b846

File tree

2 files changed

+18
-0
lines changed

2 files changed

+18
-0
lines changed

ext/spl/spl_observer.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -800,12 +800,14 @@ SPL_METHOD(SplObjectStorage, unserialize)
800800
}
801801
/* store reference to allow cross-references between different elements */
802802
if (!php_var_unserialize(&entry, &p, s + buf_len, &var_hash)) {
803+
zval_ptr_dtor(&entry);
803804
goto outexcept;
804805
}
805806
if (*p == ',') { /* new version has inf */
806807
++p;
807808
if (!php_var_unserialize(&inf, &p, s + buf_len, &var_hash)) {
808809
zval_ptr_dtor(&entry);
810+
zval_ptr_dtor(&inf);
809811
goto outexcept;
810812
}
811813
}

ext/standard/tests/serialize/unserialize_leak.phpt

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
--TEST--
2+
Unserialize leak in SplObjectStorage
3+
--FILE--
4+
<?php
5+
6+
$payload = 'C:16:"SplObjectStorage":113:{x:i:2;O:8:"stdClass":1:{},a:2:{s:4:"prev";i:2;s:4:"next";O:8:"stdClass":0:{}};r:7;,R:2;s:4:"next";;r:3;};m:a:0:{}}';
7+
try {
8+
var_dump(unserialize($payload));
9+
} catch (Exception $e) {
10+
echo $e->getMessage(), "\n";
11+
}
12+
13+
?>
14+
--EXPECTF--
15+
Notice: SplObjectStorage::unserialize(): Unexpected end of serialized data in %s on line %d
16+
Error at offset 24 of 113 bytes

0 commit comments

Comments
 (0)