File php-CVE-2016-7417.patch of Package php7

X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fspl%2Fspl_array.c;h=21f84038824e5c0511df01927f3514c34acd5077;hp=60cbac572697ead5ca180c976cda09928d94005d;hb=022e75cba104c52ccfb494ce224c2c4d0ff2dddc;hpb=060ab26cfe2f25bc59eb2de593e11cea84ef70b0

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 60cbac5..21f8403 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -295,7 +295,7 @@ static zval *spl_array_get_dimension_ptr(int check_inherited, spl_array_object *
 	zend_string *offset_key;
 	HashTable *ht = spl_array_get_hash_table(intern);
 
-	if (!offset || Z_ISUNDEF_P(offset)) {
+	if (!offset || Z_ISUNDEF_P(offset) || !ht) {
 		return &EG(uninitialized_zval);
 	}
 
@@ -1796,7 +1796,8 @@ SPL_METHOD(Array, unserialize)
 		intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK;
 		zval_ptr_dtor(&intern->array);
 		ZVAL_UNDEF(&intern->array);
-		if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash)) {
+		if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash)
+				|| (Z_TYPE(intern->array) != IS_ARRAY && Z_TYPE(intern->array) != IS_OBJECT)) {
 			goto outexcept;
 		}
 		var_push_dtor(&var_hash, &intern->array);
openSUSE Build Service is sponsored by