--- php-5.2.1/ext/standard/var_unserializer.c.orig 2007-02-06 19:47:41.000000000 -0500 +++ php-5.2.1/ext/standard/var_unserializer.c 2008-06-27 13:32:29.000000000 -0400 @@ -139,12 +139,22 @@ PHPAPI void var_destroy(php_unserialize_ /* }}} */ -static char *unserialize_str(const unsigned char **p, int len) +static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen) { - int i, j; - char *str = emalloc(len+1); + size_t i, j; + char *str = safe_emalloc(*len, 1, 1); + unsigned char *end = *(unsigned char **)p+maxlen; - for (i = 0; i < len; i++) { + if(end < *p) { + efree(str); + return NULL; + } + + for (i = 0; i < *len; i++) { + if (*p >= end) { + efree(str); + return NULL; + } if (**p != '\\') { str[i] = (char)**p; } else { @@ -168,6 +178,7 @@ static char *unserialize_str(const unsig (*p)++; } str[i] = 0; + *len = i; return str; } @@ -385,7 +396,7 @@ PHPAPI int php_var_unserialize(UNSERIALI { - static unsigned char yybm[] = { + static const unsigned char yybm[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, @@ -752,7 +763,7 @@ yy45: return 0; } - if ((str = unserialize_str(&YYCURSOR, len)) == NULL) { + if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) { return 0; }