1/*
2  +----------------------------------------------------------------------+
3  | PHP Version 5                                                        |
4  +----------------------------------------------------------------------+
5  | Copyright (c) 1997-2014 The PHP Group                                |
6  +----------------------------------------------------------------------+
7  | This source file is subject to version 3.01 of the PHP license,      |
8  | that is bundled with this package in the file LICENSE, and is        |
9  | available through the world-wide-web at the following url:           |
10  | http://www.php.net/license/3_01.txt                                  |
11  | If you did not receive a copy of the PHP license and are unable to   |
12  | obtain it through the world-wide-web, please send a note to          |
13  | license@php.net so we can mail you a copy immediately.               |
14  +----------------------------------------------------------------------+
15  | Author: Sascha Schumann <sascha@schumann.cx>                         |
16  +----------------------------------------------------------------------+
17*/
18
19/* $Id$ */
20
21#include "php.h"
22#include "ext/standard/php_var.h"
23#include "php_incomplete_class.h"
24#include "Zend/zend_interfaces.h"
25
26/* {{{ reference-handling for unserializer: var_* */
27#define VAR_ENTRIES_MAX 1024
28#define VAR_ENTRIES_DBG 0
29
30typedef struct {
31    zval *data[VAR_ENTRIES_MAX];
32    long used_slots;
33    void *next;
34} var_entries;
35
36static inline void var_push(php_unserialize_data_t *var_hashx, zval **rval)
37{
38    var_entries *var_hash = (*var_hashx)->last;
39#if VAR_ENTRIES_DBG
40    fprintf(stderr, "var_push(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval));
41#endif
42
43    if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) {
44        var_hash = emalloc(sizeof(var_entries));
45        var_hash->used_slots = 0;
46        var_hash->next = 0;
47
48        if (!(*var_hashx)->first) {
49            (*var_hashx)->first = var_hash;
50        } else {
51            ((var_entries *) (*var_hashx)->last)->next = var_hash;
52        }
53
54        (*var_hashx)->last = var_hash;
55    }
56
57    var_hash->data[var_hash->used_slots++] = *rval;
58}
59
60PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
61{
62    var_entries *var_hash = (*var_hashx)->last_dtor;
63#if VAR_ENTRIES_DBG
64    fprintf(stderr, "var_push_dtor(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval));
65#endif
66
67    if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) {
68        var_hash = emalloc(sizeof(var_entries));
69        var_hash->used_slots = 0;
70        var_hash->next = 0;
71
72        if (!(*var_hashx)->first_dtor) {
73            (*var_hashx)->first_dtor = var_hash;
74        } else {
75            ((var_entries *) (*var_hashx)->last_dtor)->next = var_hash;
76        }
77
78        (*var_hashx)->last_dtor = var_hash;
79    }
80
81    Z_ADDREF_PP(rval);
82    var_hash->data[var_hash->used_slots++] = *rval;
83}
84
85PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rval)
86{
87    var_entries *var_hash = (*var_hashx)->last_dtor;
88#if VAR_ENTRIES_DBG
89    fprintf(stderr, "var_push_dtor_no_addref(%ld): %d (%d)\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval));
90#endif
91
92    if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) {
93        var_hash = emalloc(sizeof(var_entries));
94        var_hash->used_slots = 0;
95        var_hash->next = 0;
96
97        if (!(*var_hashx)->first_dtor) {
98            (*var_hashx)->first_dtor = var_hash;
99        } else {
100            ((var_entries *) (*var_hashx)->last_dtor)->next = var_hash;
101        }
102
103        (*var_hashx)->last_dtor = var_hash;
104    }
105
106    var_hash->data[var_hash->used_slots++] = *rval;
107}
108
109PHPAPI void var_replace(php_unserialize_data_t *var_hashx, zval *ozval, zval **nzval)
110{
111    long i;
112    var_entries *var_hash = (*var_hashx)->first;
113#if VAR_ENTRIES_DBG
114    fprintf(stderr, "var_replace(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(nzval));
115#endif
116
117    while (var_hash) {
118        for (i = 0; i < var_hash->used_slots; i++) {
119            if (var_hash->data[i] == ozval) {
120                var_hash->data[i] = *nzval;
121                /* do not break here */
122            }
123        }
124        var_hash = var_hash->next;
125    }
126}
127
128static int var_access(php_unserialize_data_t *var_hashx, long id, zval ***store)
129{
130    var_entries *var_hash = (*var_hashx)->first;
131#if VAR_ENTRIES_DBG
132    fprintf(stderr, "var_access(%ld): %ld\n", var_hash?var_hash->used_slots:-1L, id);
133#endif
134
135    while (id >= VAR_ENTRIES_MAX && var_hash && var_hash->used_slots == VAR_ENTRIES_MAX) {
136        var_hash = var_hash->next;
137        id -= VAR_ENTRIES_MAX;
138    }
139
140    if (!var_hash) return !SUCCESS;
141
142    if (id < 0 || id >= var_hash->used_slots) return !SUCCESS;
143
144    *store = &var_hash->data[id];
145
146    return SUCCESS;
147}
148
149PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
150{
151    void *next;
152    long i;
153    var_entries *var_hash = (*var_hashx)->first;
154#if VAR_ENTRIES_DBG
155    fprintf(stderr, "var_destroy(%ld)\n", var_hash?var_hash->used_slots:-1L);
156#endif
157
158    while (var_hash) {
159        next = var_hash->next;
160        efree(var_hash);
161        var_hash = next;
162    }
163
164    var_hash = (*var_hashx)->first_dtor;
165
166    while (var_hash) {
167        for (i = 0; i < var_hash->used_slots; i++) {
168            zval_ptr_dtor(&var_hash->data[i]);
169        }
170        next = var_hash->next;
171        efree(var_hash);
172        var_hash = next;
173    }
174}
175
176/* }}} */
177
178static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen)
179{
180    size_t i, j;
181    char *str = safe_emalloc(*len, 1, 1);
182    unsigned char *end = *(unsigned char **)p+maxlen;
183
184    if (end < *p) {
185        efree(str);
186        return NULL;
187    }
188
189    for (i = 0; i < *len; i++) {
190        if (*p >= end) {
191            efree(str);
192            return NULL;
193        }
194        if (**p != '\\') {
195            str[i] = (char)**p;
196        } else {
197            unsigned char ch = 0;
198
199            for (j = 0; j < 2; j++) {
200                (*p)++;
201                if (**p >= '0' && **p <= '9') {
202                    ch = (ch << 4) + (**p -'0');
203                } else if (**p >= 'a' && **p <= 'f') {
204                    ch = (ch << 4) + (**p -'a'+10);
205                } else if (**p >= 'A' && **p <= 'F') {
206                    ch = (ch << 4) + (**p -'A'+10);
207                } else {
208                    efree(str);
209                    return NULL;
210                }
211            }
212            str[i] = (char)ch;
213        }
214        (*p)++;
215    }
216    str[i] = 0;
217    *len = i;
218    return str;
219}
220
221#define YYFILL(n) do { } while (0)
222#define YYCTYPE unsigned char
223#define YYCURSOR cursor
224#define YYLIMIT limit
225#define YYMARKER marker
226
227
228/*!re2c
229uiv = [+]? [0-9]+;
230iv = [+-]? [0-9]+;
231nv = [+-]? ([0-9]* "." [0-9]+|[0-9]+ "." [0-9]*);
232nvexp = (iv | nv) [eE] [+-]? iv;
233any = [\000-\377];
234object = [OC];
235*/
236
237
238
239static inline long parse_iv2(const unsigned char *p, const unsigned char **q)
240{
241    char cursor;
242    long result = 0;
243    int neg = 0;
244
245    switch (*p) {
246        case '-':
247            neg++;
248            /* fall-through */
249        case '+':
250            p++;
251    }
252
253    while (1) {
254        cursor = (char)*p;
255        if (cursor >= '0' && cursor <= '9') {
256            result = result * 10 + (size_t)(cursor - (unsigned char)'0');
257        } else {
258            break;
259        }
260        p++;
261    }
262    if (q) *q = p;
263    if (neg) return -result;
264    return result;
265}
266
267static inline long parse_iv(const unsigned char *p)
268{
269    return parse_iv2(p, NULL);
270}
271
272/* no need to check for length - re2c already did */
273static inline size_t parse_uiv(const unsigned char *p)
274{
275    unsigned char cursor;
276    size_t result = 0;
277
278    if (*p == '+') {
279        p++;
280    }
281
282    while (1) {
283        cursor = *p;
284        if (cursor >= '0' && cursor <= '9') {
285            result = result * 10 + (size_t)(cursor - (unsigned char)'0');
286        } else {
287            break;
288        }
289        p++;
290    }
291    return result;
292}
293
294#define UNSERIALIZE_PARAMETER zval **rval, const unsigned char **p, const unsigned char *max, php_unserialize_data_t *var_hash TSRMLS_DC
295#define UNSERIALIZE_PASSTHRU rval, p, max, var_hash TSRMLS_CC
296
297static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long elements, int objprops)
298{
299    while (elements-- > 0) {
300        zval *key, *data, **old_data;
301
302        ALLOC_INIT_ZVAL(key);
303
304        if (!php_var_unserialize(&key, p, max, NULL TSRMLS_CC)) {
305            zval_dtor(key);
306            FREE_ZVAL(key);
307            return 0;
308        }
309
310        if (Z_TYPE_P(key) != IS_LONG && Z_TYPE_P(key) != IS_STRING) {
311            zval_dtor(key);
312            FREE_ZVAL(key);
313            return 0;
314        }
315
316        ALLOC_INIT_ZVAL(data);
317
318        if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) {
319            zval_dtor(key);
320            FREE_ZVAL(key);
321            zval_dtor(data);
322            FREE_ZVAL(data);
323            return 0;
324        }
325
326        if (!objprops) {
327            switch (Z_TYPE_P(key)) {
328            case IS_LONG:
329                if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)==SUCCESS) {
330                    var_push_dtor(var_hash, old_data);
331                }
332                zend_hash_index_update(ht, Z_LVAL_P(key), &data, sizeof(data), NULL);
333                break;
334            case IS_STRING:
335                if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
336                    var_push_dtor(var_hash, old_data);
337                }
338                zend_symtable_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
339                break;
340            }
341        } else {
342            /* object properties should include no integers */
343            convert_to_string(key);
344            zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
345                    sizeof data, NULL);
346        }
347
348        zval_dtor(key);
349        FREE_ZVAL(key);
350
351        if (elements && *(*p-1) != ';' && *(*p-1) != '}') {
352            (*p)--;
353            return 0;
354        }
355    }
356
357    return 1;
358}
359
360static inline int finish_nested_data(UNSERIALIZE_PARAMETER)
361{
362    if (*((*p)++) == '}')
363        return 1;
364
365#if SOMETHING_NEW_MIGHT_LEAD_TO_CRASH_ENABLE_IF_YOU_ARE_BRAVE
366    zval_ptr_dtor(rval);
367#endif
368    return 0;
369}
370
371static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
372{
373    long datalen;
374
375    datalen = parse_iv2((*p) + 2, p);
376
377    (*p) += 2;
378
379    if (datalen < 0 || (*p) + datalen >= max) {
380        zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
381        return 0;
382    }
383
384    if (ce->unserialize == NULL) {
385        zend_error(E_WARNING, "Class %s has no unserializer", ce->name);
386        object_init_ex(*rval, ce);
387    } else if (ce->unserialize(rval, ce, (const unsigned char*)*p, datalen, (zend_unserialize_data *)var_hash TSRMLS_CC) != SUCCESS) {
388        return 0;
389    }
390
391    (*p) += datalen;
392
393    return finish_nested_data(UNSERIALIZE_PASSTHRU);
394}
395
396static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
397{
398    long elements;
399
400    elements = parse_iv2((*p) + 2, p);
401
402    (*p) += 2;
403
404    /* The internal class check here is a BC fix only, userspace classes implementing the
405    Serializable interface have eventually an inconsistent behavior at this place when
406    unserialized from a manipulated string. Additionaly the interal classes can possibly
407    crash PHP so they're still disabled here. */
408    if (ce->serialize == NULL || ce->unserialize == zend_user_unserialize || (ZEND_INTERNAL_CLASS != ce->type && ce->create_object == NULL)) {
409        object_init_ex(*rval, ce);
410    } else {
411        /* If this class implements Serializable, it should not land here but in object_custom(). The passed string
412        obviously doesn't descend from the regular serializer. */
413        zend_error(E_WARNING, "Erroneous data format for unserializing '%s'", ce->name);
414        return 0;
415    }
416
417    return elements;
418}
419
420#ifdef PHP_WIN32
421# pragma optimize("", off)
422#endif
423static inline int object_common2(UNSERIALIZE_PARAMETER, long elements)
424{
425    zval *retval_ptr = NULL;
426    zval fname;
427
428    if (Z_TYPE_PP(rval) != IS_OBJECT) {
429        return 0;
430    }
431
432    if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) {
433        return 0;
434    }
435
436    if (Z_OBJCE_PP(rval) != PHP_IC_ENTRY &&
437        zend_hash_exists(&Z_OBJCE_PP(rval)->function_table, "__wakeup", sizeof("__wakeup"))) {
438        INIT_PZVAL(&fname);
439        ZVAL_STRINGL(&fname, "__wakeup", sizeof("__wakeup") - 1, 0);
440        BG(serialize_lock)++;
441        call_user_function_ex(CG(function_table), rval, &fname, &retval_ptr, 0, 0, 1, NULL TSRMLS_CC);
442        BG(serialize_lock)--;
443    }
444
445    if (retval_ptr) {
446        zval_ptr_dtor(&retval_ptr);
447    }
448
449    if (EG(exception)) {
450        return 0;
451    }
452
453    return finish_nested_data(UNSERIALIZE_PASSTHRU);
454
455}
456#ifdef PHP_WIN32
457# pragma optimize("", on)
458#endif
459
460PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
461{
462    const unsigned char *cursor, *limit, *marker, *start;
463    zval **rval_ref;
464
465    limit = max;
466    cursor = *p;
467
468    if (YYCURSOR >= YYLIMIT) {
469        return 0;
470    }
471
472    if (var_hash && cursor[0] != 'R') {
473        var_push(var_hash, rval);
474    }
475
476    start = cursor;
477
478
479
480/*!re2c
481
482"R:" iv ";"     {
483    long id;
484
485    *p = YYCURSOR;
486    if (!var_hash) return 0;
487
488    id = parse_iv(start + 2) - 1;
489    if (id == -1 || var_access(var_hash, id, &rval_ref) != SUCCESS) {
490        return 0;
491    }
492
493    if (*rval != NULL) {
494        zval_ptr_dtor(rval);
495    }
496    *rval = *rval_ref;
497    Z_ADDREF_PP(rval);
498    Z_SET_ISREF_PP(rval);
499
500    return 1;
501}
502
503"r:" iv ";"     {
504    long id;
505
506    *p = YYCURSOR;
507    if (!var_hash) return 0;
508
509    id = parse_iv(start + 2) - 1;
510    if (id == -1 || var_access(var_hash, id, &rval_ref) != SUCCESS) {
511        return 0;
512    }
513
514    if (*rval == *rval_ref) return 0;
515
516    if (*rval != NULL) {
517        var_push_dtor_no_addref(var_hash, rval);
518    }
519    *rval = *rval_ref;
520    Z_ADDREF_PP(rval);
521    Z_UNSET_ISREF_PP(rval);
522
523    return 1;
524}
525
526"N;"    {
527    *p = YYCURSOR;
528    INIT_PZVAL(*rval);
529    ZVAL_NULL(*rval);
530    return 1;
531}
532
533"b:" [01] ";"   {
534    *p = YYCURSOR;
535    INIT_PZVAL(*rval);
536    ZVAL_BOOL(*rval, parse_iv(start + 2));
537    return 1;
538}
539
540"i:" iv ";" {
541#if SIZEOF_LONG == 4
542    int digits = YYCURSOR - start - 3;
543
544    if (start[2] == '-' || start[2] == '+') {
545        digits--;
546    }
547
548    /* Use double for large long values that were serialized on a 64-bit system */
549    if (digits >= MAX_LENGTH_OF_LONG - 1) {
550        if (digits == MAX_LENGTH_OF_LONG - 1) {
551            int cmp = strncmp(YYCURSOR - MAX_LENGTH_OF_LONG, long_min_digits, MAX_LENGTH_OF_LONG - 1);
552
553            if (!(cmp < 0 || (cmp == 0 && start[2] == '-'))) {
554                goto use_double;
555            }
556        } else {
557            goto use_double;
558        }
559    }
560#endif
561    *p = YYCURSOR;
562    INIT_PZVAL(*rval);
563    ZVAL_LONG(*rval, parse_iv(start + 2));
564    return 1;
565}
566
567"d:" ("NAN" | "-"? "INF") ";"   {
568    *p = YYCURSOR;
569    INIT_PZVAL(*rval);
570
571    if (!strncmp(start + 2, "NAN", 3)) {
572        ZVAL_DOUBLE(*rval, php_get_nan());
573    } else if (!strncmp(start + 2, "INF", 3)) {
574        ZVAL_DOUBLE(*rval, php_get_inf());
575    } else if (!strncmp(start + 2, "-INF", 4)) {
576        ZVAL_DOUBLE(*rval, -php_get_inf());
577    }
578
579    return 1;
580}
581
582"d:" (iv | nv | nvexp) ";"  {
583#if SIZEOF_LONG == 4
584use_double:
585#endif
586    *p = YYCURSOR;
587    INIT_PZVAL(*rval);
588    ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
589    return 1;
590}
591
592"s:" uiv ":" ["]    {
593    size_t len, maxlen;
594    char *str;
595
596    len = parse_uiv(start + 2);
597    maxlen = max - YYCURSOR;
598    if (maxlen < len) {
599        *p = start + 2;
600        return 0;
601    }
602
603    str = (char*)YYCURSOR;
604
605    YYCURSOR += len;
606
607    if (*(YYCURSOR) != '"') {
608        *p = YYCURSOR;
609        return 0;
610    }
611
612    YYCURSOR += 2;
613    *p = YYCURSOR;
614
615    INIT_PZVAL(*rval);
616    ZVAL_STRINGL(*rval, str, len, 1);
617    return 1;
618}
619
620"S:" uiv ":" ["]    {
621    size_t len, maxlen;
622    char *str;
623
624    len = parse_uiv(start + 2);
625    maxlen = max - YYCURSOR;
626    if (maxlen < len) {
627        *p = start + 2;
628        return 0;
629    }
630
631    if ((str = unserialize_str(&YYCURSOR, &len, maxlen)) == NULL) {
632        return 0;
633    }
634
635    if (*(YYCURSOR) != '"') {
636        efree(str);
637        *p = YYCURSOR;
638        return 0;
639    }
640
641    YYCURSOR += 2;
642    *p = YYCURSOR;
643
644    INIT_PZVAL(*rval);
645    ZVAL_STRINGL(*rval, str, len, 0);
646    return 1;
647}
648
649"a:" uiv ":" "{" {
650    long elements = parse_iv(start + 2);
651    /* use iv() not uiv() in order to check data range */
652    *p = YYCURSOR;
653
654    if (elements < 0) {
655        return 0;
656    }
657
658    INIT_PZVAL(*rval);
659
660    array_init_size(*rval, elements);
661
662    if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_ARRVAL_PP(rval), elements, 0)) {
663        return 0;
664    }
665
666    return finish_nested_data(UNSERIALIZE_PASSTHRU);
667}
668
669"o:" iv ":" ["] {
670
671    INIT_PZVAL(*rval);
672
673    return object_common2(UNSERIALIZE_PASSTHRU,
674            object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
675}
676
677object ":" uiv ":" ["]  {
678    size_t len, len2, len3, maxlen;
679    long elements;
680    char *class_name;
681    zend_class_entry *ce;
682    zend_class_entry **pce;
683    int incomplete_class = 0;
684
685    int custom_object = 0;
686
687    zval *user_func;
688    zval *retval_ptr;
689    zval **args[1];
690    zval *arg_func_name;
691
692    if (*start == 'C') {
693        custom_object = 1;
694    }
695
696    INIT_PZVAL(*rval);
697    len2 = len = parse_uiv(start + 2);
698    maxlen = max - YYCURSOR;
699    if (maxlen < len || len == 0) {
700        *p = start + 2;
701        return 0;
702    }
703
704    class_name = (char*)YYCURSOR;
705
706    YYCURSOR += len;
707
708    if (*(YYCURSOR) != '"') {
709        *p = YYCURSOR;
710        return 0;
711    }
712    if (*(YYCURSOR+1) != ':') {
713        *p = YYCURSOR+1;
714        return 0;
715    }
716
717    len3 = strspn(class_name, "0123456789_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\177\200\201\202\203\204\205\206\207\210\211\212\213\214\215\216\217\220\221\222\223\224\225\226\227\230\231\232\233\234\235\236\237\240\241\242\243\244\245\246\247\250\251\252\253\254\255\256\257\260\261\262\263\264\265\266\267\270\271\272\273\274\275\276\277\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357\360\361\362\363\364\365\366\367\370\371\372\373\374\375\376\377\\");
718    if (len3 != len)
719    {
720        *p = YYCURSOR + len3 - len;
721        return 0;
722    }
723
724    class_name = estrndup(class_name, len);
725
726    do {
727        /* Try to find class directly */
728        BG(serialize_lock)++;
729        if (zend_lookup_class(class_name, len2, &pce TSRMLS_CC) == SUCCESS) {
730            BG(serialize_lock)--;
731            if (EG(exception)) {
732                efree(class_name);
733                return 0;
734            }
735            ce = *pce;
736            break;
737        }
738        BG(serialize_lock)--;
739
740        if (EG(exception)) {
741            efree(class_name);
742            return 0;
743        }
744
745        /* Check for unserialize callback */
746        if ((PG(unserialize_callback_func) == NULL) || (PG(unserialize_callback_func)[0] == '\0')) {
747            incomplete_class = 1;
748            ce = PHP_IC_ENTRY;
749            break;
750        }
751
752        /* Call unserialize callback */
753        MAKE_STD_ZVAL(user_func);
754        ZVAL_STRING(user_func, PG(unserialize_callback_func), 1);
755        args[0] = &arg_func_name;
756        MAKE_STD_ZVAL(arg_func_name);
757        ZVAL_STRING(arg_func_name, class_name, 1);
758        BG(serialize_lock)++;
759        if (call_user_function_ex(CG(function_table), NULL, user_func, &retval_ptr, 1, args, 0, NULL TSRMLS_CC) != SUCCESS) {
760            BG(serialize_lock)--;
761            if (EG(exception)) {
762                efree(class_name);
763                zval_ptr_dtor(&user_func);
764                zval_ptr_dtor(&arg_func_name);
765                return 0;
766            }
767            php_error_docref(NULL TSRMLS_CC, E_WARNING, "defined (%s) but not found", user_func->value.str.val);
768            incomplete_class = 1;
769            ce = PHP_IC_ENTRY;
770            zval_ptr_dtor(&user_func);
771            zval_ptr_dtor(&arg_func_name);
772            break;
773        }
774        BG(serialize_lock)--;
775        if (retval_ptr) {
776            zval_ptr_dtor(&retval_ptr);
777        }
778        if (EG(exception)) {
779            efree(class_name);
780            zval_ptr_dtor(&user_func);
781            zval_ptr_dtor(&arg_func_name);
782            return 0;
783        }
784
785        /* The callback function may have defined the class */
786        if (zend_lookup_class(class_name, len2, &pce TSRMLS_CC) == SUCCESS) {
787            ce = *pce;
788        } else {
789            php_error_docref(NULL TSRMLS_CC, E_WARNING, "Function %s() hasn't defined the class it was called for", user_func->value.str.val);
790            incomplete_class = 1;
791            ce = PHP_IC_ENTRY;
792        }
793
794        zval_ptr_dtor(&user_func);
795        zval_ptr_dtor(&arg_func_name);
796        break;
797    } while (1);
798
799    *p = YYCURSOR;
800
801    if (custom_object) {
802        int ret;
803
804        ret = object_custom(UNSERIALIZE_PASSTHRU, ce);
805
806        if (ret && incomplete_class) {
807            php_store_class_name(*rval, class_name, len2);
808        }
809        efree(class_name);
810        return ret;
811    }
812
813    elements = object_common1(UNSERIALIZE_PASSTHRU, ce);
814
815    if (incomplete_class) {
816        php_store_class_name(*rval, class_name, len2);
817    }
818    efree(class_name);
819
820    return object_common2(UNSERIALIZE_PASSTHRU, elements);
821}
822
823"}" {
824    /* this is the case where we have less data than planned */
825    php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
826    return 0; /* not sure if it should be 0 or 1 here? */
827}
828
829any { return 0; }
830
831*/
832
833    return 0;
834}
835