1/*
2  +----------------------------------------------------------------------+
3  | PHP Version 5                                                        |
4  +----------------------------------------------------------------------+
5  | Copyright (c) 1997-2014 The PHP Group                                |
6  +----------------------------------------------------------------------+
7  | This source file is subject to version 3.01 of the PHP license,      |
8  | that is bundled with this package in the file LICENSE, and is        |
9  | available through the world-wide-web at the following url:           |
10  | http://www.php.net/license/3_01.txt                                  |
11  | If you did not receive a copy of the PHP license and are unable to   |
12  | obtain it through the world-wide-web, please send a note to          |
13  | license@php.net so we can mail you a copy immediately.               |
14  +----------------------------------------------------------------------+
15  | Author: Sascha Schumann <sascha@schumann.cx>                         |
16  +----------------------------------------------------------------------+
17*/
18
19/* $Id$ */
20
21#include "php.h"
22#include "ext/standard/php_var.h"
23#include "php_incomplete_class.h"
24#include "Zend/zend_interfaces.h"
25
26/* {{{ reference-handling for unserializer: var_* */
27#define VAR_ENTRIES_MAX 1024
28#define VAR_ENTRIES_DBG 0
29
30typedef struct {
31    zval *data[VAR_ENTRIES_MAX];
32    long used_slots;
33    void *next;
34} var_entries;
35
36static inline void var_push(php_unserialize_data_t *var_hashx, zval **rval)
37{
38    var_entries *var_hash = (*var_hashx)->last;
39#if VAR_ENTRIES_DBG
40    fprintf(stderr, "var_push(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval));
41#endif
42
43    if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) {
44        var_hash = emalloc(sizeof(var_entries));
45        var_hash->used_slots = 0;
46        var_hash->next = 0;
47
48        if (!(*var_hashx)->first) {
49            (*var_hashx)->first = var_hash;
50        } else {
51            ((var_entries *) (*var_hashx)->last)->next = var_hash;
52        }
53
54        (*var_hashx)->last = var_hash;
55    }
56
57    var_hash->data[var_hash->used_slots++] = *rval;
58}
59
60PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
61{
62    var_entries *var_hash;
63
64    if (!var_hashx || !*var_hashx) {
65        return;
66    }
67
68    var_hash = (*var_hashx)->last_dtor;
69#if VAR_ENTRIES_DBG
70    fprintf(stderr, "var_push_dtor(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval));
71#endif
72
73    if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) {
74        var_hash = emalloc(sizeof(var_entries));
75        var_hash->used_slots = 0;
76        var_hash->next = 0;
77
78        if (!(*var_hashx)->first_dtor) {
79            (*var_hashx)->first_dtor = var_hash;
80        } else {
81            ((var_entries *) (*var_hashx)->last_dtor)->next = var_hash;
82        }
83
84        (*var_hashx)->last_dtor = var_hash;
85    }
86
87    Z_ADDREF_PP(rval);
88    var_hash->data[var_hash->used_slots++] = *rval;
89}
90
91PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rval)
92{
93    var_entries *var_hash = (*var_hashx)->last_dtor;
94#if VAR_ENTRIES_DBG
95    fprintf(stderr, "var_push_dtor_no_addref(%ld): %d (%d)\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval));
96#endif
97
98    if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) {
99        var_hash = emalloc(sizeof(var_entries));
100        var_hash->used_slots = 0;
101        var_hash->next = 0;
102
103        if (!(*var_hashx)->first_dtor) {
104            (*var_hashx)->first_dtor = var_hash;
105        } else {
106            ((var_entries *) (*var_hashx)->last_dtor)->next = var_hash;
107        }
108
109        (*var_hashx)->last_dtor = var_hash;
110    }
111
112    var_hash->data[var_hash->used_slots++] = *rval;
113}
114
115PHPAPI void var_replace(php_unserialize_data_t *var_hashx, zval *ozval, zval **nzval)
116{
117    long i;
118    var_entries *var_hash = (*var_hashx)->first;
119#if VAR_ENTRIES_DBG
120    fprintf(stderr, "var_replace(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(nzval));
121#endif
122
123    while (var_hash) {
124        for (i = 0; i < var_hash->used_slots; i++) {
125            if (var_hash->data[i] == ozval) {
126                var_hash->data[i] = *nzval;
127                /* do not break here */
128            }
129        }
130        var_hash = var_hash->next;
131    }
132}
133
134static int var_access(php_unserialize_data_t *var_hashx, long id, zval ***store)
135{
136    var_entries *var_hash = (*var_hashx)->first;
137#if VAR_ENTRIES_DBG
138    fprintf(stderr, "var_access(%ld): %ld\n", var_hash?var_hash->used_slots:-1L, id);
139#endif
140
141    while (id >= VAR_ENTRIES_MAX && var_hash && var_hash->used_slots == VAR_ENTRIES_MAX) {
142        var_hash = var_hash->next;
143        id -= VAR_ENTRIES_MAX;
144    }
145
146    if (!var_hash) return !SUCCESS;
147
148    if (id < 0 || id >= var_hash->used_slots) return !SUCCESS;
149
150    *store = &var_hash->data[id];
151
152    return SUCCESS;
153}
154
155PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
156{
157    void *next;
158    long i;
159    var_entries *var_hash = (*var_hashx)->first;
160#if VAR_ENTRIES_DBG
161    fprintf(stderr, "var_destroy(%ld)\n", var_hash?var_hash->used_slots:-1L);
162#endif
163
164    while (var_hash) {
165        next = var_hash->next;
166        efree(var_hash);
167        var_hash = next;
168    }
169
170    var_hash = (*var_hashx)->first_dtor;
171
172    while (var_hash) {
173        for (i = 0; i < var_hash->used_slots; i++) {
174            zval_ptr_dtor(&var_hash->data[i]);
175        }
176        next = var_hash->next;
177        efree(var_hash);
178        var_hash = next;
179    }
180}
181
182/* }}} */
183
184static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen)
185{
186    size_t i, j;
187    char *str = safe_emalloc(*len, 1, 1);
188    unsigned char *end = *(unsigned char **)p+maxlen;
189
190    if (end < *p) {
191        efree(str);
192        return NULL;
193    }
194
195    for (i = 0; i < *len; i++) {
196        if (*p >= end) {
197            efree(str);
198            return NULL;
199        }
200        if (**p != '\\') {
201            str[i] = (char)**p;
202        } else {
203            unsigned char ch = 0;
204
205            for (j = 0; j < 2; j++) {
206                (*p)++;
207                if (**p >= '0' && **p <= '9') {
208                    ch = (ch << 4) + (**p -'0');
209                } else if (**p >= 'a' && **p <= 'f') {
210                    ch = (ch << 4) + (**p -'a'+10);
211                } else if (**p >= 'A' && **p <= 'F') {
212                    ch = (ch << 4) + (**p -'A'+10);
213                } else {
214                    efree(str);
215                    return NULL;
216                }
217            }
218            str[i] = (char)ch;
219        }
220        (*p)++;
221    }
222    str[i] = 0;
223    *len = i;
224    return str;
225}
226
227#define YYFILL(n) do { } while (0)
228#define YYCTYPE unsigned char
229#define YYCURSOR cursor
230#define YYLIMIT limit
231#define YYMARKER marker
232
233
234/*!re2c
235uiv = [+]? [0-9]+;
236iv = [+-]? [0-9]+;
237nv = [+-]? ([0-9]* "." [0-9]+|[0-9]+ "." [0-9]*);
238nvexp = (iv | nv) [eE] [+-]? iv;
239any = [\000-\377];
240object = [OC];
241*/
242
243
244
245static inline long parse_iv2(const unsigned char *p, const unsigned char **q)
246{
247    char cursor;
248    long result = 0;
249    int neg = 0;
250
251    switch (*p) {
252        case '-':
253            neg++;
254            /* fall-through */
255        case '+':
256            p++;
257    }
258
259    while (1) {
260        cursor = (char)*p;
261        if (cursor >= '0' && cursor <= '9') {
262            result = result * 10 + (size_t)(cursor - (unsigned char)'0');
263        } else {
264            break;
265        }
266        p++;
267    }
268    if (q) *q = p;
269    if (neg) return -result;
270    return result;
271}
272
273static inline long parse_iv(const unsigned char *p)
274{
275    return parse_iv2(p, NULL);
276}
277
278/* no need to check for length - re2c already did */
279static inline size_t parse_uiv(const unsigned char *p)
280{
281    unsigned char cursor;
282    size_t result = 0;
283
284    if (*p == '+') {
285        p++;
286    }
287
288    while (1) {
289        cursor = *p;
290        if (cursor >= '0' && cursor <= '9') {
291            result = result * 10 + (size_t)(cursor - (unsigned char)'0');
292        } else {
293            break;
294        }
295        p++;
296    }
297    return result;
298}
299
300#define UNSERIALIZE_PARAMETER zval **rval, const unsigned char **p, const unsigned char *max, php_unserialize_data_t *var_hash TSRMLS_DC
301#define UNSERIALIZE_PASSTHRU rval, p, max, var_hash TSRMLS_CC
302
303static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long elements, int objprops)
304{
305    while (elements-- > 0) {
306        zval *key, *data, **old_data;
307
308        ALLOC_INIT_ZVAL(key);
309
310        if (!php_var_unserialize(&key, p, max, NULL TSRMLS_CC)) {
311            zval_dtor(key);
312            FREE_ZVAL(key);
313            return 0;
314        }
315
316        if (Z_TYPE_P(key) != IS_LONG && Z_TYPE_P(key) != IS_STRING) {
317            zval_dtor(key);
318            FREE_ZVAL(key);
319            return 0;
320        }
321
322        ALLOC_INIT_ZVAL(data);
323
324        if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) {
325            zval_dtor(key);
326            FREE_ZVAL(key);
327            zval_dtor(data);
328            FREE_ZVAL(data);
329            return 0;
330        }
331
332        if (!objprops) {
333            switch (Z_TYPE_P(key)) {
334            case IS_LONG:
335                if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)==SUCCESS) {
336                    var_push_dtor(var_hash, old_data);
337                }
338                zend_hash_index_update(ht, Z_LVAL_P(key), &data, sizeof(data), NULL);
339                break;
340            case IS_STRING:
341                if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
342                    var_push_dtor(var_hash, old_data);
343                }
344                zend_symtable_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
345                break;
346            }
347        } else {
348            /* object properties should include no integers */
349            convert_to_string(key);
350            if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
351                var_push_dtor(var_hash, old_data);
352            }
353            zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
354                    sizeof data, NULL);
355        }
356        var_push_dtor(var_hash, &data);
357
358        zval_dtor(key);
359        FREE_ZVAL(key);
360
361        if (elements && *(*p-1) != ';' && *(*p-1) != '}') {
362            (*p)--;
363            return 0;
364        }
365    }
366
367    return 1;
368}
369
370static inline int finish_nested_data(UNSERIALIZE_PARAMETER)
371{
372    if (*((*p)++) == '}')
373        return 1;
374
375#if SOMETHING_NEW_MIGHT_LEAD_TO_CRASH_ENABLE_IF_YOU_ARE_BRAVE
376    zval_ptr_dtor(rval);
377#endif
378    return 0;
379}
380
381static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
382{
383    long datalen;
384
385    datalen = parse_iv2((*p) + 2, p);
386
387    (*p) += 2;
388
389    if (datalen < 0 || (max - (*p)) <= datalen) {
390        zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
391        return 0;
392    }
393
394    if (ce->unserialize == NULL) {
395        zend_error(E_WARNING, "Class %s has no unserializer", ce->name);
396        object_init_ex(*rval, ce);
397    } else if (ce->unserialize(rval, ce, (const unsigned char*)*p, datalen, (zend_unserialize_data *)var_hash TSRMLS_CC) != SUCCESS) {
398        return 0;
399    }
400
401    (*p) += datalen;
402
403    return finish_nested_data(UNSERIALIZE_PASSTHRU);
404}
405
406static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
407{
408    long elements;
409
410    elements = parse_iv2((*p) + 2, p);
411
412    (*p) += 2;
413
414    /* The internal class check here is a BC fix only, userspace classes implementing the
415    Serializable interface have eventually an inconsistent behavior at this place when
416    unserialized from a manipulated string. Additionaly the interal classes can possibly
417    crash PHP so they're still disabled here. */
418    if (ce->serialize == NULL || ce->unserialize == zend_user_unserialize || (ZEND_INTERNAL_CLASS != ce->type && ce->create_object == NULL)) {
419        object_init_ex(*rval, ce);
420    } else {
421        /* If this class implements Serializable, it should not land here but in object_custom(). The passed string
422        obviously doesn't descend from the regular serializer. */
423        zend_error(E_WARNING, "Erroneous data format for unserializing '%s'", ce->name);
424        return 0;
425    }
426
427    return elements;
428}
429
430#ifdef PHP_WIN32
431# pragma optimize("", off)
432#endif
433static inline int object_common2(UNSERIALIZE_PARAMETER, long elements)
434{
435    zval *retval_ptr = NULL;
436    zval fname;
437
438    if (Z_TYPE_PP(rval) != IS_OBJECT) {
439        return 0;
440    }
441
442    if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) {
443        return 0;
444    }
445
446    if (Z_OBJCE_PP(rval) != PHP_IC_ENTRY &&
447        zend_hash_exists(&Z_OBJCE_PP(rval)->function_table, "__wakeup", sizeof("__wakeup"))) {
448        INIT_PZVAL(&fname);
449        ZVAL_STRINGL(&fname, "__wakeup", sizeof("__wakeup") - 1, 0);
450        BG(serialize_lock)++;
451        call_user_function_ex(CG(function_table), rval, &fname, &retval_ptr, 0, 0, 1, NULL TSRMLS_CC);
452        BG(serialize_lock)--;
453    }
454
455    if (retval_ptr) {
456        zval_ptr_dtor(&retval_ptr);
457    }
458
459    if (EG(exception)) {
460        return 0;
461    }
462
463    return finish_nested_data(UNSERIALIZE_PASSTHRU);
464
465}
466#ifdef PHP_WIN32
467# pragma optimize("", on)
468#endif
469
470PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
471{
472    const unsigned char *cursor, *limit, *marker, *start;
473    zval **rval_ref;
474
475    limit = max;
476    cursor = *p;
477
478    if (YYCURSOR >= YYLIMIT) {
479        return 0;
480    }
481
482    if (var_hash && cursor[0] != 'R') {
483        var_push(var_hash, rval);
484    }
485
486    start = cursor;
487
488
489
490/*!re2c
491
492"R:" iv ";"     {
493    long id;
494
495    *p = YYCURSOR;
496    if (!var_hash) return 0;
497
498    id = parse_iv(start + 2) - 1;
499    if (id == -1 || var_access(var_hash, id, &rval_ref) != SUCCESS) {
500        return 0;
501    }
502
503    if (*rval != NULL) {
504        zval_ptr_dtor(rval);
505    }
506    *rval = *rval_ref;
507    Z_ADDREF_PP(rval);
508    Z_SET_ISREF_PP(rval);
509
510    return 1;
511}
512
513"r:" iv ";"     {
514    long id;
515
516    *p = YYCURSOR;
517    if (!var_hash) return 0;
518
519    id = parse_iv(start + 2) - 1;
520    if (id == -1 || var_access(var_hash, id, &rval_ref) != SUCCESS) {
521        return 0;
522    }
523
524    if (*rval == *rval_ref) return 0;
525
526    if (*rval != NULL) {
527        var_push_dtor_no_addref(var_hash, rval);
528    }
529    *rval = *rval_ref;
530    Z_ADDREF_PP(rval);
531    Z_UNSET_ISREF_PP(rval);
532
533    return 1;
534}
535
536"N;"    {
537    *p = YYCURSOR;
538    INIT_PZVAL(*rval);
539    ZVAL_NULL(*rval);
540    return 1;
541}
542
543"b:" [01] ";"   {
544    *p = YYCURSOR;
545    INIT_PZVAL(*rval);
546    ZVAL_BOOL(*rval, parse_iv(start + 2));
547    return 1;
548}
549
550"i:" iv ";" {
551#if SIZEOF_LONG == 4
552    int digits = YYCURSOR - start - 3;
553
554    if (start[2] == '-' || start[2] == '+') {
555        digits--;
556    }
557
558    /* Use double for large long values that were serialized on a 64-bit system */
559    if (digits >= MAX_LENGTH_OF_LONG - 1) {
560        if (digits == MAX_LENGTH_OF_LONG - 1) {
561            int cmp = strncmp(YYCURSOR - MAX_LENGTH_OF_LONG, long_min_digits, MAX_LENGTH_OF_LONG - 1);
562
563            if (!(cmp < 0 || (cmp == 0 && start[2] == '-'))) {
564                goto use_double;
565            }
566        } else {
567            goto use_double;
568        }
569    }
570#endif
571    *p = YYCURSOR;
572    INIT_PZVAL(*rval);
573    ZVAL_LONG(*rval, parse_iv(start + 2));
574    return 1;
575}
576
577"d:" ("NAN" | "-"? "INF") ";"   {
578    *p = YYCURSOR;
579    INIT_PZVAL(*rval);
580
581    if (!strncmp(start + 2, "NAN", 3)) {
582        ZVAL_DOUBLE(*rval, php_get_nan());
583    } else if (!strncmp(start + 2, "INF", 3)) {
584        ZVAL_DOUBLE(*rval, php_get_inf());
585    } else if (!strncmp(start + 2, "-INF", 4)) {
586        ZVAL_DOUBLE(*rval, -php_get_inf());
587    }
588
589    return 1;
590}
591
592"d:" (iv | nv | nvexp) ";"  {
593#if SIZEOF_LONG == 4
594use_double:
595#endif
596    *p = YYCURSOR;
597    INIT_PZVAL(*rval);
598    ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
599    return 1;
600}
601
602"s:" uiv ":" ["]    {
603    size_t len, maxlen;
604    char *str;
605
606    len = parse_uiv(start + 2);
607    maxlen = max - YYCURSOR;
608    if (maxlen < len) {
609        *p = start + 2;
610        return 0;
611    }
612
613    str = (char*)YYCURSOR;
614
615    YYCURSOR += len;
616
617    if (*(YYCURSOR) != '"') {
618        *p = YYCURSOR;
619        return 0;
620    }
621
622    YYCURSOR += 2;
623    *p = YYCURSOR;
624
625    INIT_PZVAL(*rval);
626    ZVAL_STRINGL(*rval, str, len, 1);
627    return 1;
628}
629
630"S:" uiv ":" ["]    {
631    size_t len, maxlen;
632    char *str;
633
634    len = parse_uiv(start + 2);
635    maxlen = max - YYCURSOR;
636    if (maxlen < len) {
637        *p = start + 2;
638        return 0;
639    }
640
641    if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) {
642        return 0;
643    }
644
645    if (*(YYCURSOR) != '"') {
646        efree(str);
647        *p = YYCURSOR;
648        return 0;
649    }
650
651    YYCURSOR += 2;
652    *p = YYCURSOR;
653
654    INIT_PZVAL(*rval);
655    ZVAL_STRINGL(*rval, str, len, 0);
656    return 1;
657}
658
659"a:" uiv ":" "{" {
660    long elements = parse_iv(start + 2);
661    /* use iv() not uiv() in order to check data range */
662    *p = YYCURSOR;
663
664    if (elements < 0) {
665        return 0;
666    }
667
668    INIT_PZVAL(*rval);
669
670    array_init_size(*rval, elements);
671
672    if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_ARRVAL_PP(rval), elements, 0)) {
673        return 0;
674    }
675
676    return finish_nested_data(UNSERIALIZE_PASSTHRU);
677}
678
679"o:" iv ":" ["] {
680
681    INIT_PZVAL(*rval);
682
683    return object_common2(UNSERIALIZE_PASSTHRU,
684            object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
685}
686
687object ":" uiv ":" ["]  {
688    size_t len, len2, len3, maxlen;
689    long elements;
690    char *class_name;
691    zend_class_entry *ce;
692    zend_class_entry **pce;
693    int incomplete_class = 0;
694
695    int custom_object = 0;
696
697    zval *user_func;
698    zval *retval_ptr;
699    zval **args[1];
700    zval *arg_func_name;
701
702    if (*start == 'C') {
703        custom_object = 1;
704    }
705
706    INIT_PZVAL(*rval);
707    len2 = len = parse_uiv(start + 2);
708    maxlen = max - YYCURSOR;
709    if (maxlen < len || len == 0) {
710        *p = start + 2;
711        return 0;
712    }
713
714    class_name = (char*)YYCURSOR;
715
716    YYCURSOR += len;
717
718    if (*(YYCURSOR) != '"') {
719        *p = YYCURSOR;
720        return 0;
721    }
722    if (*(YYCURSOR+1) != ':') {
723        *p = YYCURSOR+1;
724        return 0;
725    }
726
727    len3 = strspn(class_name, "0123456789_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\177\200\201\202\203\204\205\206\207\210\211\212\213\214\215\216\217\220\221\222\223\224\225\226\227\230\231\232\233\234\235\236\237\240\241\242\243\244\245\246\247\250\251\252\253\254\255\256\257\260\261\262\263\264\265\266\267\270\271\272\273\274\275\276\277\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357\360\361\362\363\364\365\366\367\370\371\372\373\374\375\376\377\\");
728    if (len3 != len)
729    {
730        *p = YYCURSOR + len3 - len;
731        return 0;
732    }
733
734    class_name = estrndup(class_name, len);
735
736    do {
737        /* Try to find class directly */
738        BG(serialize_lock)++;
739        if (zend_lookup_class(class_name, len2, &pce TSRMLS_CC) == SUCCESS) {
740            BG(serialize_lock)--;
741            if (EG(exception)) {
742                efree(class_name);
743                return 0;
744            }
745            ce = *pce;
746            break;
747        }
748        BG(serialize_lock)--;
749
750        if (EG(exception)) {
751            efree(class_name);
752            return 0;
753        }
754
755        /* Check for unserialize callback */
756        if ((PG(unserialize_callback_func) == NULL) || (PG(unserialize_callback_func)[0] == '\0')) {
757            incomplete_class = 1;
758            ce = PHP_IC_ENTRY;
759            break;
760        }
761
762        /* Call unserialize callback */
763        MAKE_STD_ZVAL(user_func);
764        ZVAL_STRING(user_func, PG(unserialize_callback_func), 1);
765        args[0] = &arg_func_name;
766        MAKE_STD_ZVAL(arg_func_name);
767        ZVAL_STRING(arg_func_name, class_name, 1);
768        BG(serialize_lock)++;
769        if (call_user_function_ex(CG(function_table), NULL, user_func, &retval_ptr, 1, args, 0, NULL TSRMLS_CC) != SUCCESS) {
770            BG(serialize_lock)--;
771            if (EG(exception)) {
772                efree(class_name);
773                zval_ptr_dtor(&user_func);
774                zval_ptr_dtor(&arg_func_name);
775                return 0;
776            }
777            php_error_docref(NULL TSRMLS_CC, E_WARNING, "defined (%s) but not found", user_func->value.str.val);
778            incomplete_class = 1;
779            ce = PHP_IC_ENTRY;
780            zval_ptr_dtor(&user_func);
781            zval_ptr_dtor(&arg_func_name);
782            break;
783        }
784        BG(serialize_lock)--;
785        if (retval_ptr) {
786            zval_ptr_dtor(&retval_ptr);
787        }
788        if (EG(exception)) {
789            efree(class_name);
790            zval_ptr_dtor(&user_func);
791            zval_ptr_dtor(&arg_func_name);
792            return 0;
793        }
794
795        /* The callback function may have defined the class */
796        if (zend_lookup_class(class_name, len2, &pce TSRMLS_CC) == SUCCESS) {
797            ce = *pce;
798        } else {
799            php_error_docref(NULL TSRMLS_CC, E_WARNING, "Function %s() hasn't defined the class it was called for", user_func->value.str.val);
800            incomplete_class = 1;
801            ce = PHP_IC_ENTRY;
802        }
803
804        zval_ptr_dtor(&user_func);
805        zval_ptr_dtor(&arg_func_name);
806        break;
807    } while (1);
808
809    *p = YYCURSOR;
810
811    if (custom_object) {
812        int ret;
813
814        ret = object_custom(UNSERIALIZE_PASSTHRU, ce);
815
816        if (ret && incomplete_class) {
817            php_store_class_name(*rval, class_name, len2);
818        }
819        efree(class_name);
820        return ret;
821    }
822
823    elements = object_common1(UNSERIALIZE_PASSTHRU, ce);
824
825    if (incomplete_class) {
826        php_store_class_name(*rval, class_name, len2);
827    }
828    efree(class_name);
829
830    return object_common2(UNSERIALIZE_PASSTHRU, elements);
831}
832
833"}" {
834    /* this is the case where we have less data than planned */
835    php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
836    return 0; /* not sure if it should be 0 or 1 here? */
837}
838
839any { return 0; }
840
841*/
842
843    return 0;
844}
845