Search
j0ke.net Open Build Service
>
Projects
>
home:netmax
:
rebuilds
>
php4
> php-4.3.9-unserial.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File php-4.3.9-unserial.patch of Package php4
- unserializer fixes from 4.3.11 --- php-4.3.9/ext/standard/var_unserializer.c.unserial +++ php-4.3.9/ext/standard/var_unserializer.c @@ -29,7 +29,7 @@ typedef struct { zval *data[VAR_ENTRIES_MAX]; - int used_slots; + long used_slots; void *next; } var_entries; @@ -56,9 +56,33 @@ var_hash->data[var_hash->used_slots++] = *rval; } +static inline void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) +{ + var_entries *var_hash = var_hashx->first_dtor, *prev = NULL; + + while (var_hash && var_hash->used_slots == VAR_ENTRIES_MAX) { + prev = var_hash; + var_hash = var_hash->next; + } + + if (!var_hash) { + var_hash = emalloc(sizeof(var_entries)); + var_hash->used_slots = 0; + var_hash->next = 0; + + if (!var_hashx->first_dtor) + var_hashx->first_dtor = var_hash; + else + prev->next = var_hash; + } + + (*rval)->refcount++; + var_hash->data[var_hash->used_slots++] = *rval; +} + PHPAPI void var_replace(php_unserialize_data_t *var_hashx, zval *ozval, zval **nzval) { - int i; + long i; var_entries *var_hash = var_hashx->first; while (var_hash) { @@ -72,7 +96,7 @@ } } -static int var_access(php_unserialize_data_t *var_hashx, int id, zval ***store) +static int var_access(php_unserialize_data_t *var_hashx, long id, zval ***store) { var_entries *var_hash = var_hashx->first; @@ -93,6 +117,7 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_hashx) { void *next; + long i; var_entries *var_hash = var_hashx->first; while (var_hash) { @@ -100,6 +125,17 @@ efree(var_hash); var_hash = next; } + + var_hash = var_hashx->first_dtor; + + while (var_hash) { + for (i = 0; i < var_hash->used_slots; i++) { + zval_ptr_dtor(&var_hash->data[i]); + } + next = var_hash->next; + efree(var_hash); + var_hash = next; + } } /* }}} */ @@ -111,15 +147,15 @@ #define YYMARKER marker -#line 118 +#line 154 "/usr/src/php/php_4_3/ext/standard/var_unserializer.re" -static inline int parse_iv2(const unsigned char *p, const unsigned char **q) +static inline long parse_iv2(const unsigned char *p, const unsigned char **q) { char cursor; - int result = 0; + long result = 0; int neg = 0; switch (*p) { @@ -144,7 +180,7 @@ return result; } -static inline int parse_iv(const unsigned char *p) +static inline long parse_iv(const unsigned char *p) { return parse_iv2(p, NULL); } @@ -174,10 +210,10 @@ #define UNSERIALIZE_PARAMETER zval **rval, const unsigned char **p, const unsigned char *max, php_unserialize_data_t *var_hash TSRMLS_DC #define UNSERIALIZE_PASSTHRU rval, p, max, var_hash TSRMLS_CC -static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, int elements) +static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long elements) { while (elements-- > 0) { - zval *key, *data, *old_data; + zval *key, *data, **old_data; ALLOC_INIT_ZVAL(key); @@ -205,14 +241,14 @@ switch (Z_TYPE_P(key)) { case IS_LONG: - if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)) { - var_replace(var_hash, old_data, rval); + if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)==SUCCESS) { + var_push_dtor(var_hash, old_data); } zend_hash_index_update(ht, Z_LVAL_P(key), &data, sizeof(data), NULL); break; case IS_STRING: - if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)) { - var_replace(var_hash, old_data, rval); + if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + var_push_dtor(var_hash, old_data); } zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL); break; @@ -243,7 +279,7 @@ static inline int object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce) { - int elements; + long elements; elements = parse_iv2((*p) + 2, p); @@ -253,7 +289,7 @@ return elements; } -static inline int object_common2(UNSERIALIZE_PARAMETER, int elements) +static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) { zval *retval_ptr = NULL; zval fname; @@ -302,6 +338,8 @@ + +#line 7 "<stdout>" { YYCTYPE yych; unsigned int yyaccept; @@ -340,7 +378,7 @@ 0, 0, 0, 0, 0, 0, 0, 0, }; goto yy0; -yy1: ++YYCURSOR; + ++YYCURSOR; yy0: if((YYLIMIT - YYCURSOR) < 7) YYFILL(7); yych = *YYCURSOR; @@ -380,7 +418,8 @@ goto yy16; } else { if(yych <= '}') goto yy14; - if(yych <= '\277') goto yy16; + if(yych <= 0xBF) goto yy16; + goto yy2; } } } @@ -391,9 +430,11 @@ yy3: yyaccept = 0; yych = *(YYMARKER = ++YYCURSOR); if(yych == ':') goto yy87; + goto yy4; yy4: -#line 532 +#line 590 "/usr/src/php/php_4_3/ext/standard/var_unserializer.re" { return 0; } +#line 102 "<stdout>" yy5: yyaccept = 0; yych = *(YYMARKER = ++YYCURSOR); if(yych == ':') goto yy81; @@ -429,35 +470,48 @@ yych = *(YYMARKER = ++YYCURSOR); if(yych == ':') goto yy17; goto yy4; -yy14: yych = *++YYCURSOR; +yy14: ++YYCURSOR; + goto yy15; yy15: -#line 526 +#line 584 "/usr/src/php/php_4_3/ext/standard/var_unserializer.re" { /* this is the case where we have less data than planned */ php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data"); return 0; /* not sure if it should be 0 or 1 here? */ } +#line 147 "<stdout>" yy16: yych = *++YYCURSOR; goto yy4; yy17: yych = *++YYCURSOR; - if(yybm[0+yych] & 128) goto yy19; + if(yybm[0+yych] & 128) { + goto yy19; + } if(yych != '+') goto yy2; + goto yy18; yy18: yych = *++YYCURSOR; - if(yybm[0+yych] & 128) goto yy19; + if(yybm[0+yych] & 128) { + goto yy19; + } goto yy2; yy19: ++YYCURSOR; - if(YYLIMIT == YYCURSOR) YYFILL(1); + if((YYLIMIT - YYCURSOR) < 2) YYFILL(2); yych = *YYCURSOR; -yy20: if(yybm[0+yych] & 128) goto yy19; + goto yy20; +yy20: if(yybm[0+yych] & 128) { + goto yy19; + } if(yych != ':') goto yy2; + goto yy21; yy21: yych = *++YYCURSOR; if(yych != '"') goto yy2; -yy22: yych = *++YYCURSOR; + goto yy22; +yy22: ++YYCURSOR; + goto yy23; yy23: -#line 445 +#line 495 "/usr/src/php/php_4_3/ext/standard/var_unserializer.re" { - size_t len, len2, maxlen; - int elements; + size_t len, len2, len3, maxlen; + long elements; char *class_name; zend_class_entry *ce; int incomplete_class = 0; @@ -491,6 +545,14 @@ class_name = str_tolower_copy((char *)emalloc(len+1), class_name, len); class_name[len] = '\0'; + len3 = strspn(class_name, "0123456789_abcdefghijklmnopqrstuvwxyz"); + if (len3 != len) + { + *p = YYCURSOR + len3 - len; + efree(class_name); + return 0; + } + if (zend_hash_find(CG(class_table), class_name, len + 1, (void **) &ce) != SUCCESS) { if ((PG(unserialize_callback_func) == NULL) || (PG(unserialize_callback_func)[0] == '\0')) { incomplete_class = 1; @@ -535,9 +597,11 @@ return object_common2(UNSERIALIZE_PASSTHRU, elements); } +#line 266 "<stdout>" yy24: yych = *++YYCURSOR; if(yych <= ','){ if(yych != '+') goto yy2; + goto yy25; } else { if(yych <= '-') goto yy25; if(yych <= '/') goto yy2; @@ -547,17 +611,22 @@ yy25: yych = *++YYCURSOR; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; + goto yy26; yy26: ++YYCURSOR; - if(YYLIMIT == YYCURSOR) YYFILL(1); + if((YYLIMIT - YYCURSOR) < 2) YYFILL(2); yych = *YYCURSOR; + goto yy27; yy27: if(yych <= '/') goto yy2; if(yych <= '9') goto yy26; if(yych >= ';') goto yy2; + goto yy28; yy28: yych = *++YYCURSOR; if(yych != '"') goto yy2; -yy29: yych = *++YYCURSOR; + goto yy29; +yy29: ++YYCURSOR; + goto yy30; yy30: -#line 437 +#line 487 "/usr/src/php/php_4_3/ext/standard/var_unserializer.re" { INIT_PZVAL(*rval); @@ -565,6 +634,7 @@ return object_common2(UNSERIALIZE_PASSTHRU, object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR)); } +#line 304 "<stdout>" yy31: yych = *++YYCURSOR; if(yych == '+') goto yy32; if(yych <= '/') goto yy2; @@ -573,22 +643,31 @@ yy32: yych = *++YYCURSOR; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; + goto yy33; yy33: ++YYCURSOR; - if(YYLIMIT == YYCURSOR) YYFILL(1); + if((YYLIMIT - YYCURSOR) < 2) YYFILL(2); yych = *YYCURSOR; + goto yy34; yy34: if(yych <= '/') goto yy2; if(yych <= '9') goto yy33; if(yych >= ';') goto yy2; + goto yy35; yy35: yych = *++YYCURSOR; if(yych != '{') goto yy2; -yy36: yych = *++YYCURSOR; + goto yy36; +yy36: ++YYCURSOR; + goto yy37; yy37: -#line 419 +#line 461 "/usr/src/php/php_4_3/ext/standard/var_unserializer.re" { - int elements = parse_iv(start + 2); - + long elements = parse_iv(start + 2); + /* use iv() not uiv() in order to check data range */ *p = YYCURSOR; + if (elements < 0) { + return 0; + } + INIT_PZVAL(*rval); Z_TYPE_PP(rval) = IS_ARRAY; ALLOC_HASHTABLE(Z_ARRVAL_PP(rval)); @@ -601,6 +680,7 @@ return finish_nested_data(UNSERIALIZE_PASSTHRU); } +#line 355 "<stdout>" yy38: yych = *++YYCURSOR; if(yych == '+') goto yy39; if(yych <= '/') goto yy2; @@ -609,17 +689,22 @@ yy39: yych = *++YYCURSOR; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; + goto yy40; yy40: ++YYCURSOR; - if(YYLIMIT == YYCURSOR) YYFILL(1); + if((YYLIMIT - YYCURSOR) < 2) YYFILL(2); yych = *YYCURSOR; + goto yy41; yy41: if(yych <= '/') goto yy2; if(yych <= '9') goto yy40; if(yych >= ';') goto yy2; + goto yy42; yy42: yych = *++YYCURSOR; if(yych != '"') goto yy2; -yy43: yych = *++YYCURSOR; + goto yy43; +yy43: ++YYCURSOR; + goto yy44; yy44: -#line 391 +#line 433 "/usr/src/php/php_4_3/ext/standard/var_unserializer.re" { size_t len, maxlen; char *str; @@ -647,6 +732,7 @@ ZVAL_STRINGL(*rval, str, len, 1); return 1; } +#line 408 "<stdout>" yy45: yych = *++YYCURSOR; if(yych <= '/'){ if(yych <= ','){ @@ -664,6 +750,7 @@ goto yy48; } else { if(yych != 'N') goto yy2; + goto yy46; } } yy46: yych = *++YYCURSOR; @@ -676,6 +763,7 @@ } else { if(yych <= '9') goto yy50; if(yych != 'I') goto yy2; + goto yy48; } yy48: yych = *++YYCURSOR; if(yych == 'N') goto yy64; @@ -684,9 +772,11 @@ if(yych == '.') goto yy52; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; + goto yy50; yy50: ++YYCURSOR; - if(YYLIMIT == YYCURSOR) YYFILL(1); + if((YYLIMIT - YYCURSOR) < 4) YYFILL(4); yych = *YYCURSOR; + goto yy51; yy51: if(yych <= ':'){ if(yych <= '.'){ if(yych <= '-') goto yy2; @@ -709,13 +799,16 @@ yy52: yych = *++YYCURSOR; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; + goto yy53; yy53: ++YYCURSOR; - if(YYLIMIT == YYCURSOR) YYFILL(1); + if((YYLIMIT - YYCURSOR) < 4) YYFILL(4); yych = *YYCURSOR; + goto yy54; yy54: if(yych <= ';'){ if(yych <= '/') goto yy2; if(yych <= '9') goto yy53; if(yych <= ':') goto yy2; + goto yy55; } else { if(yych <= 'E'){ if(yych <= 'D') goto yy2; @@ -725,18 +818,21 @@ goto yy2; } } -yy55: yych = *++YYCURSOR; +yy55: ++YYCURSOR; + goto yy56; yy56: -#line 384 +#line 426 "/usr/src/php/php_4_3/ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); - ZVAL_DOUBLE(*rval, atof(start + 2)); + ZVAL_DOUBLE(*rval, atof(start + 2)); return 1; } +#line 506 "<stdout>" yy57: yych = *++YYCURSOR; if(yych <= ','){ if(yych != '+') goto yy2; + goto yy58; } else { if(yych <= '-') goto yy58; if(yych <= '/') goto yy2; @@ -751,10 +847,12 @@ if(yych <= '-') goto yy61; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; + goto yy59; } yy59: ++YYCURSOR; if(YYLIMIT == YYCURSOR) YYFILL(1); yych = *YYCURSOR; + goto yy60; yy60: if(yych <= '/') goto yy2; if(yych <= '9') goto yy59; if(yych == ';') goto yy55; @@ -766,6 +864,7 @@ yy62: ++YYCURSOR; if((YYLIMIT - YYCURSOR) < 4) YYFILL(4); yych = *YYCURSOR; + goto yy63; yy63: if(yych <= ';'){ if(yych <= '/') goto yy2; if(yych <= '9') goto yy62; @@ -782,17 +881,18 @@ } yy64: yych = *++YYCURSOR; if(yych != 'F') goto yy2; + goto yy65; yy65: yych = *++YYCURSOR; if(yych != ';') goto yy2; -yy66: yych = *++YYCURSOR; + goto yy66; +yy66: ++YYCURSOR; + goto yy67; yy67: -#line 367 +#line 411 "/usr/src/php/php_4_3/ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); -#if 1 - ZVAL_DOUBLE(*rval, atof(start + 2)); -#else + if (!strncmp(start + 2, "NAN", 3)) { ZVAL_DOUBLE(*rval, php_get_nan()); } else if (!strncmp(start + 2, "INF", 3)) { @@ -800,15 +900,17 @@ } else if (!strncmp(start + 2, "-INF", 4)) { ZVAL_DOUBLE(*rval, -php_get_inf()); } -#endif + return 1; } +#line 583 "<stdout>" yy68: yych = *++YYCURSOR; if(yych == 'N') goto yy65; goto yy2; yy69: yych = *++YYCURSOR; if(yych <= ','){ if(yych != '+') goto yy2; + goto yy70; } else { if(yych <= '-') goto yy70; if(yych <= '/') goto yy2; @@ -818,47 +920,59 @@ yy70: yych = *++YYCURSOR; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; + goto yy71; yy71: ++YYCURSOR; if(YYLIMIT == YYCURSOR) YYFILL(1); yych = *YYCURSOR; + goto yy72; yy72: if(yych <= '/') goto yy2; if(yych <= '9') goto yy71; if(yych != ';') goto yy2; -yy73: yych = *++YYCURSOR; + goto yy73; +yy73: ++YYCURSOR; + goto yy74; yy74: -#line 360 +#line 404 "/usr/src/php/php_4_3/ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_LONG(*rval, parse_iv(start + 2)); return 1; } +#line 620 "<stdout>" yy75: yych = *++YYCURSOR; if(yych <= '/') goto yy2; if(yych >= '2') goto yy2; + goto yy76; yy76: yych = *++YYCURSOR; if(yych != ';') goto yy2; -yy77: yych = *++YYCURSOR; + goto yy77; +yy77: ++YYCURSOR; + goto yy78; yy78: -#line 353 +#line 397 "/usr/src/php/php_4_3/ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_BOOL(*rval, parse_iv(start + 2)); return 1; } -yy79: yych = *++YYCURSOR; +#line 638 "<stdout>" +yy79: ++YYCURSOR; + goto yy80; yy80: -#line 346 +#line 390 "/usr/src/php/php_4_3/ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_NULL(*rval); return 1; } +#line 649 "<stdout>" yy81: yych = *++YYCURSOR; if(yych <= ','){ if(yych != '+') goto yy2; + goto yy82; } else { if(yych <= '-') goto yy82; if(yych <= '/') goto yy2; @@ -868,17 +982,21 @@ yy82: yych = *++YYCURSOR; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; + goto yy83; yy83: ++YYCURSOR; if(YYLIMIT == YYCURSOR) YYFILL(1); yych = *YYCURSOR; + goto yy84; yy84: if(yych <= '/') goto yy2; if(yych <= '9') goto yy83; if(yych != ';') goto yy2; -yy85: yych = *++YYCURSOR; + goto yy85; +yy85: ++YYCURSOR; + goto yy86; yy86: -#line 325 +#line 367 "/usr/src/php/php_4_3/ext/standard/var_unserializer.re" { - int id; + long id; *p = YYCURSOR; if (!var_hash) return 0; @@ -899,9 +1017,11 @@ return 1; } +#line 699 "<stdout>" yy87: yych = *++YYCURSOR; if(yych <= ','){ if(yych != '+') goto yy2; + goto yy88; } else { if(yych <= '-') goto yy88; if(yych <= '/') goto yy2; @@ -911,17 +1031,21 @@ yy88: yych = *++YYCURSOR; if(yych <= '/') goto yy2; if(yych >= ':') goto yy2; + goto yy89; yy89: ++YYCURSOR; if(YYLIMIT == YYCURSOR) YYFILL(1); yych = *YYCURSOR; + goto yy90; yy90: if(yych <= '/') goto yy2; if(yych <= '9') goto yy89; if(yych != ';') goto yy2; -yy91: yych = *++YYCURSOR; + goto yy91; +yy91: ++YYCURSOR; + goto yy92; yy92: -#line 304 +#line 346 "/usr/src/php/php_4_3/ext/standard/var_unserializer.re" { - int id; + long id; *p = YYCURSOR; if (!var_hash) return 0; @@ -940,8 +1064,9 @@ return 1; } +#line 747 "<stdout>" } -#line 534 +#line 592 "/usr/src/php/php_4_3/ext/standard/var_unserializer.re" return 0; --- php-4.3.9/ext/standard/php_var.h.unserial +++ php-4.3.9/ext/standard/php_var.h @@ -41,6 +41,7 @@ struct php_unserialize_data { void *first; + void *first_dtor; }; typedef struct php_unserialize_data php_unserialize_data_t; @@ -54,7 +55,8 @@ zend_hash_destroy(&(var_hash)) #define PHP_VAR_UNSERIALIZE_INIT(var_hash) \ - (var_hash).first = 0 + (var_hash).first = 0; \ + (var_hash).first_dtor = 0 #define PHP_VAR_UNSERIALIZE_DESTROY(var_hash) \ var_destroy(&(var_hash))
