File php-CVE-2016-7417.patch of Package php5.14673
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fspl%2Fspl_array.c;h=700d6093dd51ddb1c46b290d13330eafb5a2fc90;hp=42a8e7aa44986943b73e94da93d02737532a9b04;hb=ecb7f58a069be0dec4a6131b6351a761f808f22e;hpb=b88393f08a558eec14964a55d3c680fe67407712
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 42a8e7a..700d609 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -308,7 +308,7 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object,
long index;
HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
- if (!offset) {
+ if (!offset || !ht) {
return &EG(uninitialized_zval_ptr);
}
@@ -1810,7 +1810,9 @@ SPL_METHOD(Array, unserialize)
intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK;
zval_ptr_dtor(&intern->array);
ALLOC_INIT_ZVAL(intern->array);
- if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+ if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)
+ || (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) {
+ zval_ptr_dtor(&intern->array);
goto outexcept;
}
var_push_dtor(&var_hash, &intern->array);