Backport of: From b7fa67742cd8d2b0ca0c0273b157f6ffee9ad6e2 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 26 Jul 2015 17:25:25 -0700 Subject: [PATCH] Fix bug #70068 (Dangling pointer in the unserialization of ArrayObject items) --- ext/spl/spl_array.c | 90 +++++++++++++++++++++++---------------------- ext/spl/tests/bug70068.phpt | 9 +++++ 2 files changed, 56 insertions(+), 43 deletions(-) create mode 100644 ext/spl/tests/bug70068.phpt Index: php5-5.6.11+dfsg/ext/spl/spl_array.c =================================================================== --- php5-5.6.11+dfsg.orig/ext/spl/spl_array.c 2015-09-25 10:57:14.035220128 -0400 +++ php5-5.6.11+dfsg/ext/spl/spl_array.c 2015-09-25 10:57:57.791716728 -0400 @@ -1770,14 +1770,12 @@ ALLOC_INIT_ZVAL(pflags); if (!php_var_unserialize(&pflags, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pflags) != IS_LONG) { - zval_ptr_dtor(&pflags); goto outexcept; } var_push_dtor(&var_hash, &pflags); --p; /* for ';' */ flags = Z_LVAL_P(pflags); - zval_ptr_dtor(&pflags); /* flags needs to be verified and we also need to verify whether the next * thing we get is ';'. After that we require an 'm' or somethign else * where 'm' stands for members and anything else should be an array. If @@ -1829,10 +1827,16 @@ /* done reading $serialized */ PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + if (pflags) { + zval_ptr_dtor(&pflags); + } return; outexcept: PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + if (pflags) { + zval_ptr_dtor(&pflags); + } zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len); return; Index: php5-5.6.11+dfsg/ext/spl/tests/bug70068.phpt =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ php5-5.6.11+dfsg/ext/spl/tests/bug70068.phpt 2015-09-25 10:57:14.031220083 -0400 @@ -0,0 +1,9 @@ +--TEST-- +Bug #70068 (Dangling pointer in the unserialization of ArrayObject items) +--FILE-- + +OK +--EXPECT-- +OK \ No newline at end of file