summaryrefslogtreecommitdiffstats
path: root/bug70436.patch
diff options
context:
space:
mode:
Diffstat (limited to 'bug70436.patch')
-rw-r--r--bug70436.patch97
1 files changed, 97 insertions, 0 deletions
diff --git a/bug70436.patch b/bug70436.patch
new file mode 100644
index 0000000..c3dc139
--- /dev/null
+++ b/bug70436.patch
@@ -0,0 +1,97 @@
+Backported from 5.6.25 by Remi.
+
+From 27fe2b42fc4a0e82b30dba11e177611ac6a88bf5 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 7 Aug 2016 15:16:28 -0700
+Subject: [PATCH] Fix bug #70436: Use After Free Vulnerability in unserialize()
+
+---
+ ext/standard/tests/strings/bug70436.phpt | 65 ++++++++++++++++++++++++++++++++
+ ext/standard/var.c | 1 +
+ 2 files changed, 66 insertions(+)
+ create mode 100644 ext/standard/tests/strings/bug70436.phpt
+
+diff --git a/ext/standard/tests/strings/bug70436.phpt b/ext/standard/tests/strings/bug70436.phpt
+new file mode 100644
+index 0000000..c62e468
+--- /dev/null
++++ b/ext/standard/tests/strings/bug70436.phpt
+@@ -0,0 +1,65 @@
++--TEST--
++Bug #70436: Use After Free Vulnerability in unserialize()
++--FILE--
++<?php
++
++class obj implements Serializable
++{
++ var $data;
++
++ function serialize()
++ {
++ return serialize($this->data);
++ }
++
++ function unserialize($data)
++ {
++ $this->data = unserialize($data);
++ }
++}
++
++$fakezval = ptr2str(1122334455);
++$fakezval .= ptr2str(0);
++$fakezval .= "\x00\x00\x00\x00";
++$fakezval .= "\x01";
++$fakezval .= "\x00";
++$fakezval .= "\x00\x00";
++
++$inner = 'C:3:"obj":3:{ryat';
++$exploit = 'a:4:{i:0;i:1;i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:2;s:'.strlen($fakezval).':"'.$fakezval.'";i:3;R:5;}';
++
++$data = unserialize($exploit);
++
++var_dump($data);
++
++function ptr2str($ptr)
++{
++ $out = '';
++
++ for ($i = 0; $i < 8; $i++) {
++ $out .= chr($ptr & 0xff);
++ $ptr >>= 8;
++ }
++
++ return $out;
++}
++?>
++DONE
++--EXPECTF--
++Notice: unserialize(): Error at offset 0 of 3 bytes in %sbug70436.php on line %d
++
++Notice: unserialize(): Error at offset 17 of 17 bytes in %sbug70436.php on line %d
++array(4) {
++ [0]=>
++ int(1)
++ [1]=>
++ object(obj)#%d (1) {
++ ["data"]=>
++ bool(false)
++ }
++ [2]=>
++ string(24) "%s"
++ [3]=>
++ bool(false)
++}
++DONE
+\ No newline at end of file
+diff --git a/ext/standard/var.c b/ext/standard/var.c
+index f0efef2..137e794 100644
+--- a/ext/standard/var.c
++++ b/ext/standard/var.c
+@@ -965,6 +965,7 @@ PHP_FUNCTION(unserialize)
+ p = (const unsigned char*) buf;
+ PHP_VAR_UNSERIALIZE_INIT(var_hash);
+ if (!php_var_unserialize(&return_value, &p, p + buf_len, &var_hash TSRMLS_CC)) {
++ var_push_dtor(&var_hash, &return_value);
+ PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+ zval_dtor(return_value);
+ if (!EG(exception)) {
generated by cgit (git 2.34.1) at 2024-04-27 07:26:52 +0000