Author: keescook-guest
Date: 2007-04-18 23:20:57 +0000 (Wed, 18 Apr 2007)
New Revision: 5675
Added:
data/patches/MOPB/MOPB-10-php5.diff
data/patches/MOPB/MOPB-14-php5.diff
data/patches/MOPB/MOPB-15-php5.diff
data/patches/MOPB/MOPB-24-php5.diff
data/patches/MOPB/MOPB-29-php5.diff
Modified:
data/mopb.txt
Log:
patches for MOPB 10, 14, 15, 24, 29
Modified: data/mopb.txt
==================================================================---
data/mopb.txt 2007-04-18 22:24:35 UTC (rev 5674)
+++ data/mopb.txt 2007-04-18 23:20:57 UTC (rev 5675)
@@ -18,6 +18,7 @@
10 PHP php_binary Session Deserialization Information Leak Vulnerability
#TODO(low) -> Can only leak 127 bytes of data, CVE-2007-1380 (php4 &
php5, heap leak)
Check, to which extent this was covered by our backports of 5.2.1 patches
+[MOPB-10-php5.diff]
@@ -65,6 +66,7 @@
14 PHP substr_compare() Information Leak Vulnerability
#TODO(low) -> corner-case where length+offset > INT_MAX, CVE-2007-1375
(php5, heap leak)
+[MOPB-14-php5.diff]
@@ -99,6 +101,7 @@
29 PHP 5.2.1 unserialize() Information Leak Vulnerability
#N/A -> Only affects PHP 5.2.1 (heap leak via broken "S"
unserializer, which should maybe be removed from 5.2.1, since it is only for
future compatibility and is totally broken?)
+[MOPB-29-php5.diff]
28 PHP hash_update_file() Already Freed Resource Access Vulnerability
#N/A -> Only triggerable by malicious script, CVE-2007-1581 (php5, local
malicious stream handler leads to code execution)
@@ -111,6 +114,7 @@
24 PHP array_user_key_compare() Double DTOR Vulnerability
#N/A -> Only triggerable by malicious script, CVE-2007-1484 (php4 &
php5, code execution)
+[MOPB-24-php5.diff]
21 PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass
Vulnerability
#N/A -> Safemode and open_basedir bypasses not supported, CVE-2007-1461
@@ -119,7 +123,8 @@
#N/A -> Safemode and open_basedir bypasses not supported, CVE-2007-1460
15 PHP shmop Functions Resource Verification Vulnerability
-N/A Only triggerable by malicious script, could be used to read/write arbitrary
memory, CVE-2007-1376 (php4 & php5, arbitrary memory leakage)
+#N/A -> Only triggerable by malicious script, could be used to read/write
arbitrary memory, CVE-2007-1376 (php4 & php5, arbitrary memory leakage)
+[MOPB-15-php5.diff]
13 PHP 4 Ovrimos Extension Multiple Vulnerabilities
#N/A -> Ovrimos support not provided in any debian php packages,
CVE-2007-1379, CVE-2007-1378
Added: data/patches/MOPB/MOPB-10-php5.diff
==================================================================---
data/patches/MOPB/MOPB-10-php5.diff 2007-04-18 22:24:35 UTC (rev 5674)
+++ data/patches/MOPB/MOPB-10-php5.diff 2007-04-18 23:20:57 UTC (rev 5675)
@@ -0,0 +1,319 @@
+
+
+
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en">
+<head>
+<title>[cvs] Diff of /php-src/ext/session/session.c</title>
+<meta name="generator" content="ViewVC 1.1-dev" />
+<link rel="stylesheet"
href="/viewvc.cgi/*docroot*/styles.css" type="text/css"
/>
+<link rel="stylesheet"
href="http://static.php.net/www.php.net/style.css" />
+<link rel="stylesheet"
href="http://static.php.net/www.php.net/styles/phpnet.css" />
+<link rel="shortcut icon"
href="http://static.php.net/www.php.net/favicon.ico" />
+
+</head>
+<body bgcolor="#ffffff" text="#000000"
link="#000099" alink="#0000ff" vlink="#000099">
+<div class="vc_navheader">
+<table border="0" cellspacing="0"
cellpadding="0" width="100%">
+<tr bgcolor="#9999cc">
+<td align="center" rowspan="2"
width="126"><a href="/"><img
src="http://static.php.net/www.php.net/images/php.gif"
alt="PHP" width="120" height="67"
hspace="3" /></a></td>
+<td> </td>
+</tr>
+<tr bgcolor="#9999cc">
+<td align="right" valign="bottom">
+<a href="http://www.php.net/anoncvs.php">Anonymous CVS Access
Instructions</a>.
+</td>
+</tr>
+<tr bgcolor="#666699">
+<td align="right" valign="top" colspan="2"
class="quicksearch">
+Main trees: <a href="/viewvc.cgi/php-src/">php-src</a> |
+<a href="/viewvc.cgi/pecl/">pecl</a> |
+<a href="/viewvc.cgi/pear/">pear</a> |
+<a href="/viewvc.cgi/pear-core/">pear-core</a>
+</td>
+</tr>
+</table>
+</div>
+<div class="paddinghack">
+
+<p style="margin:0;">
+
+<a
href="/viewvc.cgi/php-src/ext/session/?pathrev=PHP_5_2"><img
src="/viewvc.cgi/*docroot*/images/back_small.png"
class="vc_icon" alt="Parent Directory" /> Parent
Directory</a>
+
+| <a
href="/viewvc.cgi/php-src/ext/session/session.c?view=log&pathrev=PHP_5_2"><img
src="/viewvc.cgi/*docroot*/images/log.png" class="vc_icon"
alt="Revision Log" /> Revision Log</a>
+
+
+
+| <a
href="/viewvc.cgi/php-src/ext/session/session.c?r1=1.417.2.8.2.22&r2=1.417.2.8.2.23&pathrev=PHP_5_2&view=patch"><img
src="/viewvc.cgi/*docroot*/images/diff.png" class="vc_icon"
alt="View Patch" /> Patch</a>
+
+
+</p>
+
+<h3 style="text-align:center;"></h3>
+
+
+<table cellspacing="0" cellpadding="0">
+<tr class="vc_diff_header">
+<th style="width:6%;"></th>
+<th style="width:47%; vertical-align:top;">
+
+revision 1.417.2.8.2.22, Tue Dec 26 16:53:47 2006 UTC
+
+</th>
+<th style="width:47%; vertical-align:top;">
+
+revision 1.417.2.8.2.23, Sun Dec 31 22:25:55 2006 UTC
+
+</th>
+</tr>
+
+
+<tr class="vc_diff_chunk_header" id="h471">
+<td style="width:6%;"><strong>#</strong></td>
+<td style="width:47%;">
+<strong>Line 471</strong>
+<span class="vc_diff_chunk_extra"></span>
+</td>
+<td style="width:47%;">
+<strong>Line 471</strong>
+<span class="vc_diff_chunk_extra"></span>
+</td>
+</tr>
+
+
+
+
+
+
+
+
+
+<tr>
+<td id="l471"><a
href="/viewvc.cgi/php-src/ext/session/session.c?annotate=1.417.2.8.2.23&pathrev=PHP_5_2#l471">471</a></td>
+<td class="vc_diff_nochange">
for (p = val; p < endptr; ) {</td>
+<td class="vc_diff_nochange">
for (p = val; p < endptr; ) {</td>
+</tr>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+<tr>
+<td id="l472"><a
href="/viewvc.cgi/php-src/ext/session/session.c?annotate=1.417.2.8.2.23&pathrev=PHP_5_2#l472">472</a></td>
+<td class="vc_diff_nochange">
zval
**tmp;</td>
+<td class="vc_diff_nochange">
zval
**tmp;</td>
+</tr>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+<tr>
+<td id="l473"><a
href="/viewvc.cgi/php-src/ext/session/session.c?annotate=1.417.2.8.2.23&pathrev=PHP_5_2#l473">473</a></td>
+<td class="vc_diff_nochange">
namelen = *p
& (~PS_BIN_UNDEF);</td>
+<td class="vc_diff_nochange">
namelen = *p
& (~PS_BIN_UNDEF);</td>
+</tr>
+
+
+
+
+
+
+
+
+
+
+<tr>
+<td id="l474"><a
href="/viewvc.cgi/php-src/ext/session/session.c?annotate=1.417.2.8.2.23&pathrev=PHP_5_2#l474">474</a></td>
+<td class="vc_diff_empty"> </td>
+<td class="vc_diff_add"> </td>
+</tr>
+
+
+
+
+
+<tr>
+<td id="l475"><a
href="/viewvc.cgi/php-src/ext/session/session.c?annotate=1.417.2.8.2.23&pathrev=PHP_5_2#l475">475</a></td>
+<td class="vc_diff_empty"> </td>
+<td class="vc_diff_add">
if (namelen
> PS_BIN_MAX || (p + namelen) >= endptr) {</td>
+</tr>
+
+
+
+
+
+<tr>
+<td id="l476"><a
href="/viewvc.cgi/php-src/ext/session/session.c?annotate=1.417.2.8.2.23&pathrev=PHP_5_2#l476">476</a></td>
+<td class="vc_diff_empty"> </td>
+<td class="vc_diff_add">
return FAILURE;</td>
+</tr>
+
+
+
+
+
+<tr>
+<td id="l477"><a
href="/viewvc.cgi/php-src/ext/session/session.c?annotate=1.417.2.8.2.23&pathrev=PHP_5_2#l477">477</a></td>
+<td class="vc_diff_empty"> </td>
+<td class="vc_diff_add">
}</td>
+</tr>
+
+
+
+
+
+<tr>
+<td id="l478"><a
href="/viewvc.cgi/php-src/ext/session/session.c?annotate=1.417.2.8.2.23&pathrev=PHP_5_2#l478">478</a></td>
+<td class="vc_diff_empty"> </td>
+<td class="vc_diff_add"> </td>
+</tr>
+
+
+
+
+
+
+
+
+
+
+<tr>
+<td id="l479"><a
href="/viewvc.cgi/php-src/ext/session/session.c?annotate=1.417.2.8.2.23&pathrev=PHP_5_2#l479">479</a></td>
+<td class="vc_diff_nochange">
has_value = *p
& PS_BIN_UNDEF ? 0 : 1;</td>
+<td class="vc_diff_nochange">
has_value = *p
& PS_BIN_UNDEF ? 0 : 1;</td>
+</tr>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+<tr>
+<td id="l480"><a
href="/viewvc.cgi/php-src/ext/session/session.c?annotate=1.417.2.8.2.23&pathrev=PHP_5_2#l480">480</a></td>
+<td class="vc_diff_nochange"> </td>
+<td class="vc_diff_nochange"> </td>
+</tr>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+<tr>
+<td id="l481"><a
href="/viewvc.cgi/php-src/ext/session/session.c?annotate=1.417.2.8.2.23&pathrev=PHP_5_2#l481">481</a></td>
+<td class="vc_diff_nochange">
name =
estrndup(p + 1, namelen);</td>
+<td class="vc_diff_nochange">
name =
estrndup(p + 1, namelen);</td>
+</tr>
+
+
+
+
+
+
+
+
+</table>
+
+
+
+<hr style="margin-top:1em;" />
+<table cellpadding="10" class="auto">
+<tr>
+<td>
+<form method="get"
action="/viewvc.cgi/php-src/ext/session/session.c">
+<div>
+<input type="hidden" name="r1"
value="1.417.2.8.2.22" /><input type="hidden"
name="r2" value="1.417.2.8.2.23" /><input
type="hidden" name="pathrev" value="PHP_5_2" />
+<select name="diff_format" onchange="submit()">
+<option value="h" selected="selected">Colored
Diff</option>
+<option value="l" >Long Colored Diff</option>
+<option value="f" >Full Colored Diff</option>
+<option value="u" >Unidiff</option>
+<option value="c" >Context Diff</option>
+<option value="s" >Side by Side</option>
+</select>
+<input type="submit" value="Show" />
+</div>
+</form>
+</td>
+<td>
+
+<table style="border:solid gray 1px;" class="auto">
+<tr>
+<td>Legend:<br />
+<table cellspacing="0" cellpadding="1">
+<tr>
+<td style="text-align:center;"
class="vc_diff_remove">Removed from v.1.417.2.8.2.22</td>
+<td class="vc_diff_empty"> </td>
+</tr>
+<tr>
+<td style="text-align:center;" colspan="2"
class="vc_diff_change">changed lines</td>
+</tr>
+<tr>
+<td class="vc_diff_empty"> </td>
+<td style="text-align:center;"
class="vc_diff_add">Added in v.1.417.2.8.2.23</td>
+</tr>
+</table>
+</td>
+</tr>
+</table>
+
+</td>
+</tr>
+</table>
+
+<hr />
+<table>
+<tr>
+<td>
+<address>systems@php.net</address><br />
+Powered by <a href="http://viewvc.tigris.org/">ViewVC
1.1-dev</a>
+</td>
+<td style="text-align:right;">
+<h3><a
href="/viewvc.cgi/*docroot*/help_rootview.html">ViewVC
Help</a></h3>
+</td>
+</tr>
+</table>
+</body>
+</html>
+
Added: data/patches/MOPB/MOPB-14-php5.diff
==================================================================---
data/patches/MOPB/MOPB-14-php5.diff 2007-04-18 22:24:35 UTC (rev 5674)
+++ data/patches/MOPB/MOPB-14-php5.diff 2007-04-18 23:20:57 UTC (rev 5675)
@@ -0,0 +1,50 @@
+--- string.c 2007/03/03 15:46:29 1.445.2.14.2.45
++++ string.c 2007/03/08 00:47:04 1.445.2.14.2.49
+@@ -18,7 +18,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: string.c,v 1.445.2.14.2.45 2007/03/03 15:46:29 iliaa Exp $ */
++/* $Id: string.c,v 1.445.2.14.2.49 2007/03/08 00:47:04 stas Exp $ */
+
+ /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
+
+@@ -4642,18 +4642,20 @@
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Offset should be greater
than or equal to 0.");
+ RETURN_FALSE;
+ }
+- p += Z_LVAL_PP(offset);
+- if (p > endp) {
++
++ if (Z_LVAL_PP(offset) > Z_STRLEN_PP(haystack)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Offset value %ld exceeds
string length.", Z_LVAL_PP(offset));
+ RETURN_FALSE;
+ }
++ p += Z_LVAL_PP(offset);
++
+ if (ac == 4) {
+ convert_to_long_ex(length);
+ if (Z_LVAL_PP(length) <= 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length should be greater
than 0.");
+ RETURN_FALSE;
+ }
+- if ((p + Z_LVAL_PP(length)) > endp) {
++ if (Z_LVAL_PP(length) > (Z_STRLEN_PP(haystack) - Z_LVAL_PP(offset))) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length value %ld exceeds
string length.", Z_LVAL_PP(length));
+ RETURN_FALSE;
+ }
+@@ -5074,8 +5076,13 @@
+ offset = (offset < 0) ? 0 : offset;
+ }
+
+- if ((offset + len) > s1_len) {
++ if(offset > s1_len) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The start position cannot
exceed initial string length");
++ RETURN_FALSE;
++ }
++
++ if(len > s1_len - offset) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The length cannot exceed
initial string length");
+ RETURN_FALSE;
+ }
+
Added: data/patches/MOPB/MOPB-15-php5.diff
==================================================================---
data/patches/MOPB/MOPB-15-php5.diff 2007-04-18 22:24:35 UTC (rev 5674)
+++ data/patches/MOPB/MOPB-15-php5.diff 2007-04-18 23:20:57 UTC (rev 5675)
@@ -0,0 +1,99 @@
+--- shmop.c 2006/11/03 14:46:48 1.31.2.2.2.1
++++ shmop.c 2006/12/30 20:21:25 1.31.2.2.2.2
+@@ -16,7 +16,7 @@
+ | Ilia Alshanetsky <ilia@prohost.org>
|
+ +----------------------------------------------------------------------+
+ */
+-/* $Id: shmop.c,v 1.31.2.2.2.1 2006/11/03 14:46:48 bjori Exp $ */
++/* $Id: shmop.c,v 1.31.2.2.2.2 2006/12/30 20:21:25 iliaa Exp $ */
+
+ #ifdef HAVE_CONFIG_H
+ #include "config.h"
+@@ -78,6 +78,16 @@
+ ZEND_GET_MODULE(shmop)
+ #endif
+
++#define PHP_SHMOP_GET_RES \
++ shmop = zend_list_find(shmid, &type); \
++ if (!shmop) { \
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "no shared memory segment
with an id of [%lu]", shmid); \
++ RETURN_FALSE; \
++ } else if (type != shm_type) { \
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "not a shmop
resource"); \
++ RETURN_FALSE; \
++ } \
++
+ /* {{{ rsclean
+ */
+ static void rsclean(zend_rsrc_list_entry *rsrc TSRMLS_DC)
+@@ -201,13 +211,8 @@
+ return;
+ }
+
+- shmop = zend_list_find(shmid, &type);
++ PHP_SHMOP_GET_RES
+
+- if (!shmop) {
+- php_error_docref(NULL TSRMLS_CC, E_WARNING, "no shared memory segment
with an id of [%lu]", shmid);
+- RETURN_FALSE;
+- }
+-
+ if (start < 0 || start > shmop->size) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "start is out of
range");
+ RETURN_FALSE;
+@@ -241,12 +246,7 @@
+ return;
+ }
+
+- shmop = zend_list_find(shmid, &type);
+-
+- if (!shmop) {
+- php_error_docref(NULL TSRMLS_CC, E_WARNING, "no shared memory segment
with an id of [%lu]", shmid);
+- RETURN_FALSE;
+- }
++ PHP_SHMOP_GET_RES
+
+ zend_list_delete(shmid);
+ }
+@@ -264,12 +264,7 @@
+ return;
+ }
+
+- shmop = zend_list_find(shmid, &type);
+-
+- if (!shmop) {
+- php_error_docref(NULL TSRMLS_CC, E_WARNING, "no shared memory segment
with an id of [%lu]", shmid);
+- RETURN_FALSE;
+- }
++ PHP_SHMOP_GET_RES
+
+ RETURN_LONG(shmop->size);
+ }
+@@ -290,12 +285,7 @@
+ return;
+ }
+
+- shmop = zend_list_find(shmid, &type);
+-
+- if (!shmop) {
+- php_error_docref(NULL TSRMLS_CC, E_WARNING, "no shared memory segment
with an id of [%lu]", shmid);
+- RETURN_FALSE;
+- }
++ PHP_SHMOP_GET_RES
+
+ if ((shmop->shmatflg & SHM_RDONLY) == SHM_RDONLY) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "trying to write to a read
only segment");
+@@ -326,12 +316,7 @@
+ return;
+ }
+
+- shmop = zend_list_find(shmid, &type);
+-
+- if (!shmop) {
+- php_error_docref(NULL TSRMLS_CC, E_WARNING, "no shared memory segment
with an id of [%lu]", shmid);
+- RETURN_FALSE;
+- }
++ PHP_SHMOP_GET_RES
+
+ if (shmctl(shmop->shmid, IPC_RMID, NULL)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "can''t mark
segment for deletion (are you the owner?)");
Added: data/patches/MOPB/MOPB-24-php5.diff
==================================================================---
data/patches/MOPB/MOPB-24-php5.diff 2007-04-18 22:24:35 UTC (rev 5674)
+++ data/patches/MOPB/MOPB-24-php5.diff 2007-04-18 23:20:57 UTC (rev 5675)
@@ -0,0 +1,69 @@
+--- array.c 2007/03/04 17:21:16 1.308.2.21.2.24
++++ array.c 2007/03/16 19:38:58 1.308.2.21.2.25
+@@ -21,7 +21,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: array.c,v 1.308.2.21.2.24 2007/03/04 17:21:16 iliaa Exp $ */
++/* $Id: array.c,v 1.308.2.21.2.25 2007/03/16 19:38:58 stas Exp $ */
+
+ #include "php.h"
+ #include "php_ini.h"
+@@ -703,40 +703,40 @@
+ {
+ Bucket *f;
+ Bucket *s;
+- zval key1, key2;
++ zval *key1, *key2;
+ zval *args[2];
+ zval retval;
+ int status;
+
+- args[0] = &key1;
+- args[1] = &key2;
+- INIT_PZVAL(&key1);
+- INIT_PZVAL(&key2);
++ ALLOC_INIT_ZVAL(key1);
++ ALLOC_INIT_ZVAL(key2);
++ args[0] = key1;
++ args[1] = key2;
+
+ f = *((Bucket **) a);
+ s = *((Bucket **) b);
+
+ if (f->nKeyLength) {
+- Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength-1);
+- Z_STRLEN(key1) = f->nKeyLength-1;
+- Z_TYPE(key1) = IS_STRING;
++ Z_STRVAL_P(key1) = estrndup(f->arKey, f->nKeyLength-1);
++ Z_STRLEN_P(key1) = f->nKeyLength-1;
++ Z_TYPE_P(key1) = IS_STRING;
+ } else {
+- Z_LVAL(key1) = f->h;
+- Z_TYPE(key1) = IS_LONG;
++ Z_LVAL_P(key1) = f->h;
++ Z_TYPE_P(key1) = IS_LONG;
+ }
+ if (s->nKeyLength) {
+- Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength-1);
+- Z_STRLEN(key2) = s->nKeyLength-1;
+- Z_TYPE(key2) = IS_STRING;
++ Z_STRVAL_P(key2) = estrndup(s->arKey, s->nKeyLength-1);
++ Z_STRLEN_P(key2) = s->nKeyLength-1;
++ Z_TYPE_P(key2) = IS_STRING;
+ } else {
+- Z_LVAL(key2) = s->h;
+- Z_TYPE(key2) = IS_LONG;
++ Z_LVAL_P(key2) = s->h;
++ Z_TYPE_P(key2) = IS_LONG;
+ }
+
+ status = call_user_function(EG(function_table), NULL,
*BG(user_compare_func_name), &retval, 2, args TSRMLS_CC);
+
+- zval_dtor(&key1);
+- zval_dtor(&key2);
++ zval_ptr_dtor(&key1);
++ zval_ptr_dtor(&key2);
+
+ if (status == SUCCESS) {
+ convert_to_long(&retval);
Added: data/patches/MOPB/MOPB-29-php5.diff
==================================================================---
data/patches/MOPB/MOPB-29-php5.diff 2007-04-18 22:24:35 UTC (rev 5674)
+++ data/patches/MOPB/MOPB-29-php5.diff 2007-04-18 23:20:57 UTC (rev 5675)
@@ -0,0 +1,51 @@
+--- var_unserializer.re 2006/12/15 00:58:08 1.52.2.2.2.1
++++ var_unserializer.re 2007/03/23 20:15:21 1.52.2.2.2.2
+@@ -16,7 +16,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: var_unserializer.re,v 1.52.2.2.2.1 2006/12/15 00:58:08 andrei Exp $ */
++/* $Id: var_unserializer.re,v 1.52.2.2.2.2 2007/03/23 20:15:21 stas Exp $ */
+
+ #include "php.h"
+ #include "ext/standard/php_var.h"
+@@ -138,12 +138,18 @@
+
+ /* }}} */
+
+-static char *unserialize_str(const unsigned char **p, int len)
++static char *unserialize_str(const unsigned char **p, size_t *len)
+ {
+- int i, j;
+- char *str = emalloc(len+1);
++ size_t i, j;
++ char *str = safe_emalloc(*len, 1, 1);
++ unsigned char *end = *p+*len;
+
+- for (i = 0; i < len; i++) {
++ if(end < *p) {
++ efree(str);
++ return NULL;
++ }
++
++ for (i = 0; i < *len && *p < end; i++) {
+ if (**p != ''\\'') {
+ str[i] = (char)**p;
+ } else {
+@@ -167,6 +173,7 @@
+ (*p)++;
+ }
+ str[i] = 0;
++ *len = i;
+ return str;
+ }
+
+@@ -518,7 +525,7 @@
+ return 0;
+ }
+
+- if ((str = unserialize_str(&YYCURSOR, len)) == NULL) {
++ if ((str = unserialize_str(&YYCURSOR, &len)) == NULL) {
+ return 0;
+ }
+