File php-CVE-2016-7417.patch of Package php7.16741
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fspl%2Fspl_array.c;h=21f84038824e5c0511df01927f3514c34acd5077;hp=60cbac572697ead5ca180c976cda09928d94005d;hb=022e75cba104c52ccfb494ce224c2c4d0ff2dddc;hpb=060ab26cfe2f25bc59eb2de593e11cea84ef70b0
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 60cbac5..21f8403 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -295,7 +295,7 @@ static zval *spl_array_get_dimension_ptr(int check_inherited, spl_array_object *
zend_string *offset_key;
HashTable *ht = spl_array_get_hash_table(intern);
- if (!offset || Z_ISUNDEF_P(offset)) {
+ if (!offset || Z_ISUNDEF_P(offset) || !ht) {
return &EG(uninitialized_zval);
}
@@ -1796,7 +1796,8 @@ SPL_METHOD(Array, unserialize)
intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK;
zval_ptr_dtor(&intern->array);
ZVAL_UNDEF(&intern->array);
- if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash)) {
+ if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash)
+ || (Z_TYPE(intern->array) != IS_ARRAY && Z_TYPE(intern->array) != IS_OBJECT)) {
goto outexcept;
}
var_push_dtor(&var_hash, &intern->array);