From 3798eb6fd5dddb211b01d41495072fd9858d4e32 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 12 Jul 2016 23:27:45 -0700 Subject: [PATCH] Fix bug #72562 - destroy var_hash properly --- ext/session/session.c | 3 ++- ext/session/tests/bug72562.phpt | 44 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 ext/session/tests/bug72562.phpt diff --git a/ext/session/session.c b/ext/session/session.c index f5439ea..cb6cc01 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -837,6 +837,7 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF); if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) { + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); return FAILURE; } diff --git a/ext/session/tests/bug72562.phpt b/ext/session/tests/bug72562.phpt new file mode 100644 index 0000000..d85e48b --- /dev/null +++ b/ext/session/tests/bug72562.phpt @@ -0,0 +1,44 @@ +--TEST-- +Bug #72562: Use After Free in unserialize() with Unexpected Session Deserialization +--SKIPIF-- + +--FILE-- +>= 8; + } + return $out; +} +?> +--EXPECTF-- +Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s/bug72562.php on line %d + +Notice: unserialize(): Error at offset 0 of 1 bytes in %s/bug72562.php on line %d + +Notice: unserialize(): Error at offset 4 of 4 bytes in %s/bug72562.php on line %d +bool(false)