Mercurial Mercurial > upstream > oracle > userland-gate / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/php/php56/patches/CVE-2015-6831_70166.patch
changeset 5116 867d838118ad
equal deleted inserted replaced
5115:9c865404b7f5 5116:867d838118ad 
       
     1 # Source: upstream
 
       
     2 # http://git.php.net/?p=php-src.git;a=commit;h=7381b6accc5559b2de039af3a22f6ec1003b03b3
 
       
     3 # https://bugs.php.net/bug.php?id=70166
 
       
     4 
       
     5 From 7381b6accc5559b2de039af3a22f6ec1003b03b3 Mon Sep 17 00:00:00 2001
 
       
     6 From: Stanislav Malyshev <[email protected]>
 
       
     7 Date: Sat, 1 Aug 2015 21:45:19 -0700
 
       
     8 Subject: [PATCH] Fixed bug #70166 - Use After Free Vulnerability in
 
       
     9  unserialize() with SPLArrayObject
 
       
    10 
       
    11 ---
 
       
    12  ext/spl/spl_array.c         |  3 +++
 
       
    13  ext/spl/tests/bug70166.phpt | 29 +++++++++++++++++++++++++++++
 
       
    14  2 files changed, 32 insertions(+)
 
       
    15  create mode 100644 ext/spl/tests/bug70166.phpt
 
       
    16 
       
    17 diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
 
       
    18 index a37eced..86608c0 100644
 
       
    19 --- a/ext/spl/spl_array.c
 
       
    20 +++ b/ext/spl/spl_array.c
 
       
    21 @@ -1777,6 +1777,7 @@ SPL_METHOD(Array, unserialize)
 
       
    22  		goto outexcept;
 
       
    23  	}
 
       
    24  
       
    25 +	var_push_dtor(&var_hash, &pflags);
 
       
    26  	--p; /* for ';' */
 
       
    27  	flags = Z_LVAL_P(pflags);
 
       
    28  	/* flags needs to be verified and we also need to verify whether the next
 
       
    29 @@ -1800,6 +1801,7 @@ SPL_METHOD(Array, unserialize)
 
       
    30  		if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
 
       
    31  			goto outexcept;
 
       
    32  		}
 
       
    33 +		var_push_dtor(&var_hash, &intern->array);
 
       
    34  	}
 
       
    35  	if (*p != ';') {
 
       
    36  		goto outexcept;
 
       
    37 @@ -1818,6 +1820,7 @@ SPL_METHOD(Array, unserialize)
 
       
    38  		goto outexcept;
 
       
    39  	}
 
       
    40  
       
    41 +	var_push_dtor(&var_hash, &pmembers);
 
       
    42  	/* copy members */
 
       
    43  	if (!intern->std.properties) {
 
       
    44  		rebuild_object_properties(&intern->std);
 
       
    45 diff --git a/ext/spl/tests/bug70166.phpt b/ext/spl/tests/bug70166.phpt
 
       
    46 new file mode 100644
 
       
    47 index 0000000..51a3596
 
       
    48 --- /dev/null
 
       
    49 +++ b/ext/spl/tests/bug70166.phpt
 
       
    50 @@ -0,0 +1,29 @@
 
       
    51 +--TEST--
 
       
    52 +SPL: Bug #70166 Use After Free Vulnerability in unserialize() with SPLArrayObject
 
       
    53 +--FILE--
 
       
    54 +<?php
 
       
    55 +$inner = 'x:i:1;a:0:{};m:a:0:{}';
 
       
    56 +$exploit = 'a:2:{i:0;C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}i:1;R:5;}';
 
       
    57 +
 
       
    58 +$data = unserialize($exploit);
 
       
    59 +
 
       
    60 +for($i = 0; $i < 5; $i++) {
 
       
    61 +    $v[$i] = 'hi'.$i;
 
       
    62 +}
 
       
    63 +
 
       
    64 +var_dump($data);
 
       
    65 +?>
 
       
    66 +===DONE===
 
       
    67 +--EXPECTF--
 
       
    68 +array(2) {
 
       
    69 +  [0]=>
 
       
    70 +  object(ArrayObject)#%d (1) {
 
       
    71 +    ["storage":"ArrayObject":private]=>
 
       
    72 +    array(0) {
 
       
    73 +    }
 
       
    74 +  }
 
       
    75 +  [1]=>
 
       
    76 +  array(0) {
 
       
    77 +  }
 
       
    78 +}
 
       
    79 +===DONE===
 
       
    80 -- 
       
    81 2.1.4
 
       
    82 
       
    83
upstream/oracle/userland-gate