Skip to content

Commit

Permalink
fix bug discovered in yvasiyarov#15
Browse files Browse the repository at this point in the history
  • Loading branch information
Yuriy Vasiyarov committed Sep 6, 2015
1 parent a935605 commit 14e5081
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions unserialize.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ import (
"strings"
)

const UNSERIAZABLE_OBJECT_MAX_LEN = 10 * 1024 * 1024 * 1024

func UnSerialize(s string) (PhpValue, error) {
decoder := NewUnSerializer(s)
decoder.SetSerializedDecodeFunc(SerializedDecodeFunc(UnSerialize))
Expand Down Expand Up @@ -259,6 +261,9 @@ func (self *UnSerializer) readLen() int {
} else {
if val, err = strconv.Atoi(raw); err != nil {
self.saveError(fmt.Errorf("php_serialize: Unable to convert %s to int: %v", raw, err))
} else if val > UNSERIAZABLE_OBJECT_MAX_LEN {
self.saveError(fmt.Errorf("php_serialize: Unserializable object length looks too big(%d). If you are sure you wanna unserialise it, please increase UNSERIAZABLE_OBJECT_MAX_LEN const", val, err))
val = 0
}
}
return val
Expand Down

0 comments on commit 14e5081

Please sign in to comment.