blob: bfe8c3e43a53450a8455df0c4c13fe8b4175dac6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
Backported from 5.6.28 by Remi.
From b433034febb099835a61943986522eb246115910 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 23 Oct 2016 21:56:35 -0700
Subject: [PATCH] Fix bug #73144 and bug #73341 - remove extra dtor
---
ext/spl/spl_array.c | 2 +-
ext/standard/tests/serialize/bug73341.phpt | 24 ++++++++++++++++++++++++
2 files changed, 25 insertions(+), 1 deletion(-)
create mode 100644 ext/standard/tests/serialize/bug73341.phpt
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 700d609..e7cbd1f 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1798,7 +1798,7 @@ SPL_METHOD(Array, unserialize)
ALLOC_INIT_ZVAL(intern->array);
if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)
|| (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) {
- zval_ptr_dtor(&intern->array);
+ // zval_ptr_dtor(&intern->array);
goto outexcept;
}
var_push_dtor(&var_hash, &intern->array);
diff --git a/ext/standard/tests/serialize/bug73341.phpt b/ext/standard/tests/serialize/bug73341.phpt
new file mode 100644
index 0000000..5542321
--- /dev/null
+++ b/ext/standard/tests/serialize/bug73341.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #73144 (Use-afte-free in ArrayObject Deserialization)
+--FILE--
+<?php
+try {
+$token = 'a:2:{i:0;O:1:"0":2:0s:1:"0";i:0;s:1:"0";a:1:{i:0;C:11:"ArrayObject":7:0x:i:0;r0';
+$obj = unserialize($token);
+} catch(Exception $e) {
+ echo $e->getMessage()."\n";
+}
+
+try {
+$inner = 'x:i:1;O:8:"stdClass":1:{};m:a:0:{}';
+$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}';
+unserialize($exploit);
+} catch(Exception $e) {
+ echo $e->getMessage()."\n";
+}
+?>
+--EXPECTF--
+Error at offset 6 of 7 bytes
+
+Notice: ArrayObject::unserialize(): Unexpected end of serialized data in %sbug73341.php on line %d
+Error at offset 24 of 34 bytes
\ No newline at end of file
|