|
1 # Source: upstream |
|
2 # http://git.php.net/?p=php-src.git;a=commit;h=7381b6accc5559b2de039af3a22f6ec1003b03b3 |
|
3 # https://bugs.php.net/bug.php?id=70166 |
|
4 |
|
5 From 7381b6accc5559b2de039af3a22f6ec1003b03b3 Mon Sep 17 00:00:00 2001 |
|
6 From: Stanislav Malyshev <[email protected]> |
|
7 Date: Sat, 1 Aug 2015 21:45:19 -0700 |
|
8 Subject: [PATCH] Fixed bug #70166 - Use After Free Vulnerability in |
|
9 unserialize() with SPLArrayObject |
|
10 |
|
11 --- |
|
12 ext/spl/spl_array.c | 3 +++ |
|
13 ext/spl/tests/bug70166.phpt | 29 +++++++++++++++++++++++++++++ |
|
14 2 files changed, 32 insertions(+) |
|
15 create mode 100644 ext/spl/tests/bug70166.phpt |
|
16 |
|
17 diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c |
|
18 index a37eced..86608c0 100644 |
|
19 --- a/ext/spl/spl_array.c |
|
20 +++ b/ext/spl/spl_array.c |
|
21 @@ -1777,6 +1777,7 @@ SPL_METHOD(Array, unserialize) |
|
22 goto outexcept; |
|
23 } |
|
24 |
|
25 + var_push_dtor(&var_hash, &pflags); |
|
26 --p; /* for ';' */ |
|
27 flags = Z_LVAL_P(pflags); |
|
28 /* flags needs to be verified and we also need to verify whether the next |
|
29 @@ -1800,6 +1801,7 @@ SPL_METHOD(Array, unserialize) |
|
30 if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) { |
|
31 goto outexcept; |
|
32 } |
|
33 + var_push_dtor(&var_hash, &intern->array); |
|
34 } |
|
35 if (*p != ';') { |
|
36 goto outexcept; |
|
37 @@ -1818,6 +1820,7 @@ SPL_METHOD(Array, unserialize) |
|
38 goto outexcept; |
|
39 } |
|
40 |
|
41 + var_push_dtor(&var_hash, &pmembers); |
|
42 /* copy members */ |
|
43 if (!intern->std.properties) { |
|
44 rebuild_object_properties(&intern->std); |
|
45 diff --git a/ext/spl/tests/bug70166.phpt b/ext/spl/tests/bug70166.phpt |
|
46 new file mode 100644 |
|
47 index 0000000..51a3596 |
|
48 --- /dev/null |
|
49 +++ b/ext/spl/tests/bug70166.phpt |
|
50 @@ -0,0 +1,29 @@ |
|
51 +--TEST-- |
|
52 +SPL: Bug #70166 Use After Free Vulnerability in unserialize() with SPLArrayObject |
|
53 +--FILE-- |
|
54 +<?php |
|
55 +$inner = 'x:i:1;a:0:{};m:a:0:{}'; |
|
56 +$exploit = 'a:2:{i:0;C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}i:1;R:5;}'; |
|
57 + |
|
58 +$data = unserialize($exploit); |
|
59 + |
|
60 +for($i = 0; $i < 5; $i++) { |
|
61 + $v[$i] = 'hi'.$i; |
|
62 +} |
|
63 + |
|
64 +var_dump($data); |
|
65 +?> |
|
66 +===DONE=== |
|
67 +--EXPECTF-- |
|
68 +array(2) { |
|
69 + [0]=> |
|
70 + object(ArrayObject)#%d (1) { |
|
71 + ["storage":"ArrayObject":private]=> |
|
72 + array(0) { |
|
73 + } |
|
74 + } |
|
75 + [1]=> |
|
76 + array(0) { |
|
77 + } |
|
78 +} |
|
79 +===DONE=== |
|
80 -- |
|
81 2.1.4 |
|
82 |
|
83 |