@@ -263,6 +263,7 @@ static zend_class_entry* msgpack_unserialize_class(zval **container, zend_string
263263 container_val = Z_ISREF_P (* container ) ? Z_REFVAL_P (* container ) : * container ;
264264 ZVAL_UNDEF (& container_tmp );
265265
266+ ZEND_ASSERT (class_name );
266267 do {
267268 /* Try to find class directly */
268269 ce = zend_lookup_class (class_name );
@@ -648,9 +649,16 @@ int msgpack_unserialize_map_item(msgpack_unserialize_data *unpack, zval **contai
648649 MSGPACK_UNSERIALIZE_FINISH_MAP_ITEM (unpack , key , val );
649650 return 0 ;
650651 } else {
651- switch (unpack -> type ) {
652+ int type = unpack -> type ;
653+ unpack -> type = MSGPACK_SERIALIZE_TYPE_NONE ;
654+
655+ switch (type ) {
652656 case MSGPACK_SERIALIZE_TYPE_CUSTOM_OBJECT :
653- unpack -> type = MSGPACK_SERIALIZE_TYPE_NONE ;
657+ {
658+ if (Z_TYPE_P (key ) != IS_STRING ) {
659+ MSGPACK_UNSERIALIZE_FINISH_MAP_ITEM (unpack , key , val );
660+ return MSGPACK_UNPACK_PARSE_ERROR ;
661+ }
654662
655663 ce = msgpack_unserialize_class (container , Z_STR_P (key ), 0 );
656664 if (ce == NULL ) {
@@ -664,23 +672,21 @@ int msgpack_unserialize_map_item(msgpack_unserialize_data *unpack, zval **contai
664672 __FUNCTION__ , ZSTR_VAL (ce -> name ));
665673
666674 MSGPACK_UNSERIALIZE_FINISH_MAP_ITEM (unpack , key , val );
667-
668675 return 0 ;
669676 }
670677
671678 ce -> unserialize (* container , ce , (const unsigned char * )Z_STRVAL_P (val ), Z_STRLEN_P (val ) + 1 , NULL );
672679
673680 MSGPACK_UNSERIALIZE_FINISH_MAP_ITEM (unpack , key , val );
674681 return 0 ;
682+ }
675683
676684 case MSGPACK_SERIALIZE_TYPE_RECURSIVE :
677685 case MSGPACK_SERIALIZE_TYPE_OBJECT :
678686 case MSGPACK_SERIALIZE_TYPE_OBJECT_REFERENCE :
679687 {
680688 zval * rval ;
681- int type = unpack -> type ;
682689
683- unpack -> type = MSGPACK_SERIALIZE_TYPE_NONE ;
684690 if (!(rval = msgpack_var_access (& unpack -> var_hash , Z_LVAL_P (val ) - 1 ))) {
685691 if (UNEXPECTED (Z_LVAL_P (val ) == 1 /* access the retval */ )) {
686692 rval = unpack -> retval ;
0 commit comments