- Disallow illegal class names

Author: helly25

ext/standard/var_unserializer.re

@@ -473,7 +473,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 }
 
 "O:" uiv ":" ["]	{
-	size_t len, len2, maxlen;
+	size_t len, len2, len3, maxlen;
 	int elements;
 	char *class_name;
 	zend_class_entry *ce;
@@ -506,6 +506,13 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 		return 0;
 	}
 
+	len3 = strspn(class_name, "0123456789_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ");
+	if (len3 != len)
+	{
+		*p = YYCURSOR + len3 - len;
+		return 0;
+	}
+
 	class_name = estrndup(class_name, len);
 
 	do {