Fixed bug #74103 and bug #75054

Directly fail unserialization when trying to acquire an r/R
reference to an UNDEF HT slot. Previously this left an UNDEF and
later deleted the index/k

Fixed bug #74103 and bug #75054

Directly fail unserialization when trying to acquire an r/R
reference to an UNDEF HT slot. Previously this left an UNDEF and
later deleted the index/key from the HT.

What actually caused the issue here is a combination of two
factors: First, the key deletion was performed using the hash API,
rather than the symtable API, such that the element was not actually
removed if it used an integral string key. Second, a subsequent
deletion operation, while collecting trailing UNDEF ranges, would
mark the element as available for reuse (leaving a corrupted HT
state with nNumOfElemnts > nNumUsed).

Fix this by failing early and dropping the deletion code.

show more ...

Fixed bug #74111

Fixed bug #74111

fix datatype

Fixed bug #74101 and bug #74614

Implement delayed __wakeup

Update copyright headers to 2017

Use correct string release function

Fix error reporting

FIx bug #70213

Fix bug #73825 - Heap out of bounds read on unserialize in finish_nested_data()

Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

Bug #72663 - part 2

If a (nested) unserialize() call fails, we remove all the values
that were inserted into var_hash during that call. This prevents
their use in other unserializati

Bug #72663 - part 2

If a (nested) unserialize() call fails, we remove all the values
that were inserted into var_hash during that call. This prevents
their use in other unserializations in the same context.

show more ...

Bug #72663 - part 1

Don't call __destruct() on an unserialized object that has a
__wakeup() method if either
a) unserialization of its properties fails or
b) the __wakeup() call

Bug #72663 - part 1

Don't call __destruct() on an unserialized object that has a
__wakeup() method if either
a) unserialization of its properties fails or
b) the __wakeup() call fails (e.g. by throwing).

This basically treats __wakeup() as a form of constructor and
aligns us with the usual behavior that if the constructor call
fails the destructor should not be called.

The security aspect here is that people use __wakeup() to prevent
unserialization of objects with dangerous __destruct() methods,
but this is ineffective if __destruct() can still be called while
__wakeup() was skipped.

show more ...

Improve fix for #72663

Fix bug #72663 - destroy broken object when unserializing

Use zend_string_safe_alloc

Improved fix for #71940

Fixed bug #71940 (Unserialize crushes on restore object reference)

Fixed bug #71840 (Unserialize accepts wrongly data)

Eliminate usages of _PP macros

These are either in debug code (fix them), commented out (drop
them) or in dead compatibility macros (drop them).

One usage was in php_stream_get_

Eliminate usages of _PP macros

These are either in debug code (fix them), commented out (drop
them) or in dead compatibility macros (drop them).

One usage was in php_stream_get_from_zval(), which we have not used
since at least PHP 5.2 and, judging from the fact that nobody
complained about it causing compile errors in PHP 7, nobody else
uses it either, so drop it.

There are still remaining uses in mysqli embedded and odbc birdstep.
These probably need to be dropped outright.

show more ...

Fixed bug #71311: Use-after-free vulnerability in SPL(ArrayObject, unserialize)

Happy new year (Update copyright to 2016)

Also fixed 'r'

Indent (not sure why it was messed)