Mercurial Mercurial > upstream > oracle > userland-gate / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/php/php56/patches/CVE-2015-6831_70168.patch
changeset 5116 867d838118ad
equal deleted inserted replaced
5115:9c865404b7f5 5116:867d838118ad 
       
     1 # Source: upstream
 
       
     2 # http://git.php.net/?p=php-src.git;a=commit;h=c2e197e4efc663ca55f393bf0e799848842286f3
 
       
     3 # https://bugs.php.net/bug.php?id=70168
 
       
     4 # Patch cleaned up to not make extraneous whitespace changes.
 
       
     5 
       
     6 From c2e197e4efc663ca55f393bf0e799848842286f3 Mon Sep 17 00:00:00 2001
 
       
     7 From: Stanislav Malyshev <[email protected]>
 
       
     8 Date: Sat, 1 Aug 2015 21:12:38 -0700
 
       
     9 Subject: [PATCH] Fix bug #70168 - Use After Free Vulnerability in
 
       
    10  unserialize() with SplObjectStorage
 
       
    11 
       
    12 ---
 
       
    13  ext/spl/spl_observer.c      | 68 +++++++++++++++++++++++----------------------
 
       
    14  ext/spl/tests/bug70168.phpt | 19 +++++++++++++
 
       
    15  2 files changed, 54 insertions(+), 33 deletions(-)
 
       
    16  create mode 100644 ext/spl/tests/bug70168.phpt
 
       
    17 
       
    18 diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
 
       
    19 index da9110b..5d94a3b 100644
 
       
    20 --- a/ext/spl/spl_observer.c
 
       
    21 +++ b/ext/spl/spl_observer.c
 
       
    22 @@ -832,14 +832,15 @@ SPL_METHOD(SplObjectStorage, unserialize)
 
       
    23  		goto outexcept;
 
       
    24  	}
 
       
    25  
       
    26 +	var_push_dtor(&var_hash, &pcount);
 
       
    27  	--p; /* for ';' */
 
       
    28  	count = Z_LVAL_P(pcount);
 
       
    29 -		
       
    30 +
 
       
    31  	while(count-- > 0) {
 
       
    32  		spl_SplObjectStorageElement *pelement;
 
       
    33  		char *hash;
 
       
    34  		int hash_len;
 
       
    35 -		
       
    36 +
 
       
    37  		if (*p != ';') {
 
       
    38  			goto outexcept;
 
       
    39  		}
 
       
    40 @@ -903,6 +904,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
 
       
    41  		goto outexcept;
 
       
    42  	}
 
       
    43  
       
    44 +	var_push_dtor(&var_hash, &pmembers);
 
       
    45  	/* copy members */
 
       
    46  	if (!intern->std.properties) {
 
       
    47  		rebuild_object_properties(&intern->std);
 
       
    48 diff --git a/ext/spl/tests/bug70168.phpt b/ext/spl/tests/bug70168.phpt
 
       
    49 new file mode 100644
 
       
    50 index 0000000..192f0f3
 
       
    51 --- /dev/null
 
       
    52 +++ b/ext/spl/tests/bug70168.phpt
 
       
    53 @@ -0,0 +1,19 @@
 
       
    54 +--TEST--
 
       
    55 +SPL: Bug #70168 Use After Free Vulnerability in unserialize() with SplObjectStorage
 
       
    56 +--FILE--
 
       
    57 +<?php
 
       
    58 +$inner = 'x:i:1;O:8:"stdClass":0:{};m:a:0:{}';
 
       
    59 +$exploit = 'a:2:{i:0;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';
 
       
    60 +
 
       
    61 +$data = unserialize($exploit);
 
       
    62 +
 
       
    63 +for($i = 0; $i < 5; $i++) {
 
       
    64 +    $v[$i] = 'hi'.$i;
 
       
    65 +}
 
       
    66 +
 
       
    67 +var_dump($data[1]);
 
       
    68 +?>
 
       
    69 +===DONE===
 
       
    70 +--EXPECT--
 
       
    71 +int(1)
 
       
    72 +===DONE===
 
       
    73 -- 
       
    74 2.1.4
 
       
    75 
       
    76
upstream/oracle/userland-gate