|
1 CVE-2015-0273 |
|
2 Community BUG: |
|
3 https://bugs.php.net/bug.php?id=68942 |
|
4 Community CODE: |
|
5 http://git.php.net/?p=php-src.git;a=commit;h=71335e6ebabc1b12c057d8017fd811892ecdfd24 |
|
6 Below is the community patch. |
|
7 |
|
8 |
|
9 From 71335e6ebabc1b12c057d8017fd811892ecdfd24 Mon Sep 17 00:00:00 2001 |
|
10 From: Stanislav Malyshev <[email protected]> |
|
11 Date: Tue, 17 Feb 2015 06:53:27 +0100 |
|
12 Subject: [PATCH] Fix bug #68942 (Use after free vulnerability in unserialize() |
|
13 with DateTimeZone) |
|
14 |
|
15 --- |
|
16 ext/date/php_date.c | 21 ++++++++++----------- |
|
17 ext/date/tests/bug68942.phpt | 9 +++++++++ |
|
18 ext/date/tests/bug68942_2.phpt | 9 +++++++++ |
|
19 3 files changed, 28 insertions(+), 11 deletions(-) |
|
20 create mode 100644 ext/date/tests/bug68942.phpt |
|
21 create mode 100644 ext/date/tests/bug68942_2.phpt |
|
22 |
|
23 diff --git a/ext/date/php_date.c b/ext/date/php_date.c |
|
24 index f8571b9..15ca08d 100644 |
|
25 --- a/ext/date/php_date.c |
|
26 +++ b/ext/date/php_date.c |
|
27 @@ -2807,12 +2807,9 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht |
|
28 timelib_tzinfo *tzi; |
|
29 php_timezone_obj *tzobj; |
|
30 |
|
31 - if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) { |
|
32 - convert_to_string(*z_date); |
|
33 - if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { |
|
34 - convert_to_long(*z_timezone_type); |
|
35 - if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { |
|
36 - convert_to_string(*z_timezone); |
|
37 + if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) { |
|
38 + if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) { |
|
39 + if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) { |
|
40 |
|
41 switch (Z_LVAL_PP(z_timezone_type)) { |
|
42 case TIMELIB_ZONETYPE_OFFSET: |
|
43 @@ -2827,7 +2824,6 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht |
|
44 |
|
45 case TIMELIB_ZONETYPE_ID: { |
|
46 int ret; |
|
47 - convert_to_string(*z_timezone); |
|
48 |
|
49 tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC); |
|
50 |
|
51 diff --git a/ext/date/tests/bug68942.phpt b/ext/date/tests/bug68942.phpt |
|
52 new file mode 100644 |
|
53 index 0000000..595cd9f |
|
54 --- /dev/null |
|
55 +++ b/ext/date/tests/bug68942.phpt |
|
56 @@ -0,0 +1,9 @@ |
|
57 +--TEST-- |
|
58 +Bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). |
|
59 +--FILE-- |
|
60 +<?php |
|
61 +$data = unserialize('a:2:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:4;}'); |
|
62 +var_dump($data); |
|
63 +?> |
|
64 +--EXPECTF-- |
|
65 +Fatal error: DateTimeZone::__wakeup(): Timezone initialization failed in %s/bug68942.php on line %d |
|
66 diff --git a/ext/date/tests/bug68942_2.phpt b/ext/date/tests/bug68942_2.phpt |
|
67 new file mode 100644 |
|
68 index 0000000..5b02567 |
|
69 --- /dev/null |
|
70 +++ b/ext/date/tests/bug68942_2.phpt |
|
71 @@ -0,0 +1,9 @@ |
|
72 +--TEST-- |
|
73 +Bug #68942 (Use after free vulnerability in unserialize() with DateTime). |
|
74 +--FILE-- |
|
75 +<?php |
|
76 +$data = unserialize('a:2:{i:0;O:8:"DateTime":3:{s:4:"date";s:26:"2000-01-01 00:00:00.000000";s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:5;}'); |
|
77 +var_dump($data); |
|
78 +?> |
|
79 +--EXPECTF-- |
|
80 +Fatal error: Invalid serialization data for DateTime object in %s/bug68942_2.php on line %d |
|
81 -- |
|
82 2.1.4 |
|
83 |