--- php-5.2.1/ext/standard/var_unserializer.c.orig 2007-02-06 19:47:41.000000000 -0500
+++ php-5.2.1/ext/standard/var_unserializer.c 2008-06-27 13:32:29.000000000 -0400
@@ -139,12 +139,22 @@ PHPAPI void var_destroy(php_unserialize_
/* }}} */
-static char *unserialize_str(const unsigned char **p, int len)
+static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen)
{
- int i, j;
- char *str = emalloc(len+1);
+ size_t i, j;
+ char *str = safe_emalloc(*len, 1, 1);
+ unsigned char *end = *(unsigned char **)p+maxlen;
- for (i = 0; i < len; i++) {
+ if(end < *p) {
+ efree(str);
+ return NULL;
+ }
+
+ for (i = 0; i < *len; i++) {
+ if (*p >= end) {
+ efree(str);
+ return NULL;
+ }
if (**p != '\\') {
str[i] = (char)**p;
} else {
@@ -168,6 +178,7 @@ static char *unserialize_str(const unsig
(*p)++;
}
str[i] = 0;
+ *len = i;
return str;
}
@@ -385,7 +396,7 @@ PHPAPI int php_var_unserialize(UNSERIALI
{
- static unsigned char yybm[] = {
+ static const unsigned char yybm[] = {
0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
@@ -752,7 +763,7 @@ yy45:
return 0;
}
- if ((str = unserialize_str(&YYCURSOR, len)) == NULL) {
+ if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) {
return 0;
}
distrib
>
Mandriva
>
2007.1
>
x86_64
>
media
>
main-updates-src
>
by-pkgid
>
5f84d7198ad7e76815a0aab8da1d5b40
>
files
>
49
