search

php-ds / ext-ds

An extension providing efficient data structures for PHP 7
https://medium.com/p/9dda7af674cd
MIT License
2.11k stars 95 forks source link

Fixed buffer outflow during deserialization of map objects #132

Closed rado-h closed 5 years ago

rado-h commented 5 years ago

The same fix from #111 applied for the deserialization of maps.

rtheunissen commented 5 years ago

Thank you. Could you please explain to me how this allows for buffer overflow?

rado-h commented 5 years ago

Not sure if either overflow or underflow is the most appropriate term here, I just went with the same name as the previous request. What happens is the serialization output from igbinary_serialize doesn't seem to contain any curly brackets so the condition for end might not be met. For example, while the output of

serialize(new \DS\Map)

would be

C:6:"Ds\Map":0:{}"

the output of

igbinary_serialize(new \DS\Map)

would be

"Ds\Map"