--- embedaddon/php/ext/standard/var_unserializer.c 2012/05/29 12:34:43 1.1.1.2 +++ embedaddon/php/ext/standard/var_unserializer.c 2014/06/15 20:03:57 1.1.1.5 @@ -1,9 +1,9 @@ -/* Generated by re2c 0.13.5 on Wed Nov 9 19:37:48 2011 */ +/* Generated by re2c 0.13.5 on Fri Apr 18 15:07:27 2014 */ /* +----------------------------------------------------------------------+ | PHP Version 5 | +----------------------------------------------------------------------+ - | Copyright (c) 1997-2012 The PHP Group | + | Copyright (c) 1997-2013 The PHP Group | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | @@ -17,7 +17,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: var_unserializer.c,v 1.1.1.2 2012/05/29 12:34:43 misho Exp $ */ +/* $Id: var_unserializer.c,v 1.1.1.5 2014/06/15 20:03:57 misho Exp $ */ #include "php.h" #include "ext/standard/php_var.h" @@ -25,6 +25,7 @@ /* {{{ reference-handling for unserializer: var_* */ #define VAR_ENTRIES_MAX 1024 +#define VAR_ENTRIES_DBG 0 typedef struct { zval *data[VAR_ENTRIES_MAX]; @@ -35,7 +36,7 @@ typedef struct { static inline void var_push(php_unserialize_data_t *var_hashx, zval **rval) { var_entries *var_hash = (*var_hashx)->last; -#if 0 +#if VAR_ENTRIES_DBG fprintf(stderr, "var_push(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval)); #endif @@ -59,7 +60,7 @@ static inline void var_push(php_unserialize_data_t *va PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) { var_entries *var_hash = (*var_hashx)->last_dtor; -#if 0 +#if VAR_ENTRIES_DBG fprintf(stderr, "var_push_dtor(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval)); #endif @@ -81,11 +82,35 @@ PHPAPI void var_push_dtor(php_unserialize_data_t *var_ var_hash->data[var_hash->used_slots++] = *rval; } +PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rval) +{ + var_entries *var_hash = (*var_hashx)->last_dtor; +#if VAR_ENTRIES_DBG + fprintf(stderr, "var_push_dtor_no_addref(%ld): %d (%d)\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval)); +#endif + + if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) { + var_hash = emalloc(sizeof(var_entries)); + var_hash->used_slots = 0; + var_hash->next = 0; + + if (!(*var_hashx)->first_dtor) { + (*var_hashx)->first_dtor = var_hash; + } else { + ((var_entries *) (*var_hashx)->last_dtor)->next = var_hash; + } + + (*var_hashx)->last_dtor = var_hash; + } + + var_hash->data[var_hash->used_slots++] = *rval; +} + PHPAPI void var_replace(php_unserialize_data_t *var_hashx, zval *ozval, zval **nzval) { long i; var_entries *var_hash = (*var_hashx)->first; -#if 0 +#if VAR_ENTRIES_DBG fprintf(stderr, "var_replace(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(nzval)); #endif @@ -103,7 +128,7 @@ PHPAPI void var_replace(php_unserialize_data_t *var_ha static int var_access(php_unserialize_data_t *var_hashx, long id, zval ***store) { var_entries *var_hash = (*var_hashx)->first; -#if 0 +#if VAR_ENTRIES_DBG fprintf(stderr, "var_access(%ld): %ld\n", var_hash?var_hash->used_slots:-1L, id); #endif @@ -126,7 +151,7 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_ha void *next; long i; var_entries *var_hash = (*var_hashx)->first; -#if 0 +#if VAR_ENTRIES_DBG fprintf(stderr, "var_destroy(%ld)\n", var_hash?var_hash->used_slots:-1L); #endif @@ -369,7 +394,15 @@ static inline long object_common1(UNSERIALIZE_PARAMETE (*p) += 2; - object_init_ex(*rval, ce); + if (ce->serialize == NULL) { + object_init_ex(*rval, ce); + } else { + /* If this class implements Serializable, it should not land here but in object_custom(). The passed string + obviously doesn't descend from the regular serializer. */ + zend_error(E_WARNING, "Erroneous data format for unserializing '%s'", ce->name); + return 0; + } + return elements; } @@ -381,6 +414,10 @@ static inline int object_common2(UNSERIALIZE_PARAMETER zval *retval_ptr = NULL; zval fname; + if (Z_TYPE_PP(rval) != IS_OBJECT) { + return 0; + } + if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) { return 0; } @@ -394,9 +431,14 @@ static inline int object_common2(UNSERIALIZE_PARAMETER BG(serialize_lock)--; } - if (retval_ptr) + if (retval_ptr) { zval_ptr_dtor(&retval_ptr); + } + if (EG(exception)) { + return 0; + } + return finish_nested_data(UNSERIALIZE_PASSTHRU); } @@ -612,10 +654,22 @@ yy20: do { /* Try to find class directly */ + BG(serialize_lock)++; if (zend_lookup_class(class_name, len2, &pce TSRMLS_CC) == SUCCESS) { + BG(serialize_lock)--; + if (EG(exception)) { + efree(class_name); + return 0; + } ce = *pce; break; } + BG(serialize_lock)--; + + if (EG(exception)) { + efree(class_name); + return 0; + } /* Check for unserialize callback */ if ((PG(unserialize_callback_func) == NULL) || (PG(unserialize_callback_func)[0] == '\0')) { @@ -630,7 +684,15 @@ yy20: args[0] = &arg_func_name; MAKE_STD_ZVAL(arg_func_name); ZVAL_STRING(arg_func_name, class_name, 1); + BG(serialize_lock)++; if (call_user_function_ex(CG(function_table), NULL, user_func, &retval_ptr, 1, args, 0, NULL TSRMLS_CC) != SUCCESS) { + BG(serialize_lock)--; + if (EG(exception)) { + efree(class_name); + zval_ptr_dtor(&user_func); + zval_ptr_dtor(&arg_func_name); + return 0; + } php_error_docref(NULL TSRMLS_CC, E_WARNING, "defined (%s) but not found", user_func->value.str.val); incomplete_class = 1; ce = PHP_IC_ENTRY; @@ -638,9 +700,16 @@ yy20: zval_ptr_dtor(&arg_func_name); break; } + BG(serialize_lock)--; if (retval_ptr) { zval_ptr_dtor(&retval_ptr); } + if (EG(exception)) { + efree(class_name); + zval_ptr_dtor(&user_func); + zval_ptr_dtor(&arg_func_name); + return 0; + } /* The callback function may have defined the class */ if (zend_lookup_class(class_name, len2, &pce TSRMLS_CC) == SUCCESS) { @@ -659,8 +728,10 @@ yy20: *p = YYCURSOR; if (custom_object) { - int ret = object_custom(UNSERIALIZE_PASSTHRU, ce); + int ret; + ret = object_custom(UNSERIALIZE_PASSTHRU, ce); + if (ret && incomplete_class) { php_store_class_name(*rval, class_name, len2); } @@ -1119,7 +1190,7 @@ yy91: if (*rval == *rval_ref) return 0; if (*rval != NULL) { - zval_ptr_dtor(rval); + var_push_dtor_no_addref(var_hash, rval); } *rval = *rval_ref; Z_ADDREF_PP(rval);