random: Validate that the arrays do not contain extra elements when unserializing (#9458)

* Apply `var_dump()` in 02_engine/all_serialize_error.phpt This ensures that an undetected serialization error is clear identifiable in the output. * random: Validate that the arrays do not contain extra elements when unserializing
2026-03-24 08:12:21 +01:00 · 2022-09-05 17:33:36 +02:00
parent 15405c60da
commit ddf7a5d4d9
5 changed files with 51 additions and 8 deletions
--- a/ext/random/engine_mt19937.c
+++ b/ext/random/engine_mt19937.c
@@ -203,6 +203,11 @@ static bool unserialize(php_random_status *status, HashTable *data)
 	php_random_status_state_mt19937 *s = status->state;
 	zval *t;

+	/* Verify the expected number of elements, this implicitly ensures that no additional elements are present. */
+	if (zend_hash_num_elements(data) != (MT_N + 2)) {
+		return false;
+	}
+
 	for (uint32_t i = 0; i < MT_N; i++) {
 		t = zend_hash_index_find(data, i);
 		if (!t || Z_TYPE_P(t) != IS_STRING || Z_STRLEN_P(t) != (2 * sizeof(uint32_t))) {
@@ -358,6 +363,12 @@ PHP_METHOD(Random_Engine_Mt19937, __unserialize)
 		Z_PARAM_ARRAY_HT(d);
 	ZEND_PARSE_PARAMETERS_END();

+	/* Verify the expected number of elements, this implicitly ensures that no additional elements are present. */
+	if (zend_hash_num_elements(d) != 2) {
+		zend_throw_exception_ex(NULL, 0, "Invalid serialization data for %s object", ZSTR_VAL(engine->std.ce->name));
+		RETURN_THROWS();
+	}
+
 	/* members */
 	t = zend_hash_index_find(d, 0);
 	if (!t || Z_TYPE_P(t) != IS_ARRAY) {
--- a/ext/random/engine_pcgoneseq128xslrr64.c
+++ b/ext/random/engine_pcgoneseq128xslrr64.c
@@ -83,6 +83,11 @@ static bool unserialize(php_random_status *status, HashTable *data)
 	uint64_t u[2];
 	zval *t;

+	/* Verify the expected number of elements, this implicitly ensures that no additional elements are present. */
+	if (zend_hash_num_elements(data) != 2) {
+		return false;
+	}
+
 	for (uint32_t i = 0; i < 2; i++) {
 		t = zend_hash_index_find(data, i);
 		if (!t || Z_TYPE_P(t) != IS_STRING || Z_STRLEN_P(t) != (2 * sizeof(uint64_t))) {
--- a/ext/random/engine_xoshiro256starstar.c
+++ b/ext/random/engine_xoshiro256starstar.c
@@ -131,6 +131,11 @@ static bool unserialize(php_random_status *status, HashTable *data)
 	php_random_status_state_xoshiro256starstar *s = status->state;
 	zval *t;

+	/* Verify the expected number of elements, this implicitly ensures that no additional elements are present. */
+	if (zend_hash_num_elements(data) != 4) {
+		return false;
+	}
+
 	for (uint32_t i = 0; i < 4; i++) {
 		t = zend_hash_index_find(data, i);
 		if (!t || Z_TYPE_P(t) != IS_STRING || Z_STRLEN_P(t) != (2 * sizeof(uint64_t))) {
--- a/ext/random/randomizer.c
+++ b/ext/random/randomizer.c
@@ -272,6 +272,12 @@ PHP_METHOD(Random_Randomizer, __unserialize)
 		Z_PARAM_ARRAY_HT(d);
 	ZEND_PARSE_PARAMETERS_END();

+	/* Verify the expected number of elements, this implicitly ensures that no additional elements are present. */
+	if (zend_hash_num_elements(d) != 1) {
+		zend_throw_exception(NULL, "Invalid serialization data for Random\\Randomizer object", 0);
+		RETURN_THROWS();
+	}
+
 	members_zv = zend_hash_index_find(d, 0);
 	if (!members_zv || Z_TYPE_P(members_zv) != IS_ARRAY) {
 		zend_throw_exception(NULL, "Invalid serialization data for Random\\Randomizer object", 0);
--- a/ext/random/tests/02_engine/all_serialize_error.phpt
+++ b/ext/random/tests/02_engine/all_serialize_error.phpt