phpserialize icon indicating copy to clipboard operation
phpserialize copied to clipboard

Published 20 hours ago β€’ verified publisher icon elliotchance

Fix index out of bounds panic

Open thebaer opened this issue 2 years ago β€’ 3 comments

Previously, DecodePHPString could panic on this line due to the index being out bounds: https://github.com/elliotchance/phpserialize/blob/5bb5ecfe1e06ac452fc9ee460c8ae2674465e0ef/unserialize.go#L29

This fixes that.

This change is Reviewable

thebaer avatar Oct 19 '21 18:10 thebaer

Can you provide a test that was causing this panic?

elliotchance avatar Oct 20 '21 00:10 elliotchance

Sure, I'll try to dig up the data that caused this. But you can also see from that line that it's possible for this to happen. Do you need that test in order to merge this?

thebaer avatar Oct 20 '21 00:10 thebaer

Yes, if the last character is a \\ (which is a mangled input anyway?). However, if the last character is not it shouldn't be skipped. So the protection needs to be conditional as well.

elliotchance avatar Oct 20 '21 01:10 elliotchance