|
1 # Source: upstream |
|
2 # http://git.php.net/?p=php-src.git;a=commit;h=c2e197e4efc663ca55f393bf0e799848842286f3 |
|
3 # https://bugs.php.net/bug.php?id=70168 |
|
4 # Patch cleaned up to not make extraneous whitespace changes. |
|
5 |
|
6 From c2e197e4efc663ca55f393bf0e799848842286f3 Mon Sep 17 00:00:00 2001 |
|
7 From: Stanislav Malyshev <[email protected]> |
|
8 Date: Sat, 1 Aug 2015 21:12:38 -0700 |
|
9 Subject: [PATCH] Fix bug #70168 - Use After Free Vulnerability in |
|
10 unserialize() with SplObjectStorage |
|
11 |
|
12 --- |
|
13 ext/spl/spl_observer.c | 68 +++++++++++++++++++++++---------------------- |
|
14 ext/spl/tests/bug70168.phpt | 19 +++++++++++++ |
|
15 2 files changed, 54 insertions(+), 33 deletions(-) |
|
16 create mode 100644 ext/spl/tests/bug70168.phpt |
|
17 |
|
18 diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c |
|
19 index da9110b..5d94a3b 100644 |
|
20 --- a/ext/spl/spl_observer.c |
|
21 +++ b/ext/spl/spl_observer.c |
|
22 @@ -832,14 +832,15 @@ SPL_METHOD(SplObjectStorage, unserialize) |
|
23 goto outexcept; |
|
24 } |
|
25 |
|
26 + var_push_dtor(&var_hash, &pcount); |
|
27 --p; /* for ';' */ |
|
28 count = Z_LVAL_P(pcount); |
|
29 - |
|
30 + |
|
31 while(count-- > 0) { |
|
32 spl_SplObjectStorageElement *pelement; |
|
33 char *hash; |
|
34 int hash_len; |
|
35 - |
|
36 + |
|
37 if (*p != ';') { |
|
38 goto outexcept; |
|
39 } |
|
40 @@ -903,6 +904,7 @@ SPL_METHOD(SplObjectStorage, unserialize) |
|
41 goto outexcept; |
|
42 } |
|
43 |
|
44 + var_push_dtor(&var_hash, &pmembers); |
|
45 /* copy members */ |
|
46 if (!intern->std.properties) { |
|
47 rebuild_object_properties(&intern->std); |
|
48 diff --git a/ext/spl/tests/bug70168.phpt b/ext/spl/tests/bug70168.phpt |
|
49 new file mode 100644 |
|
50 index 0000000..192f0f3 |
|
51 --- /dev/null |
|
52 +++ b/ext/spl/tests/bug70168.phpt |
|
53 @@ -0,0 +1,19 @@ |
|
54 +--TEST-- |
|
55 +SPL: Bug #70168 Use After Free Vulnerability in unserialize() with SplObjectStorage |
|
56 +--FILE-- |
|
57 +<?php |
|
58 +$inner = 'x:i:1;O:8:"stdClass":0:{};m:a:0:{}'; |
|
59 +$exploit = 'a:2:{i:0;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:1;R:3;}'; |
|
60 + |
|
61 +$data = unserialize($exploit); |
|
62 + |
|
63 +for($i = 0; $i < 5; $i++) { |
|
64 + $v[$i] = 'hi'.$i; |
|
65 +} |
|
66 + |
|
67 +var_dump($data[1]); |
|
68 +?> |
|
69 +===DONE=== |
|
70 +--EXPECT-- |
|
71 +int(1) |
|
72 +===DONE=== |
|
73 -- |
|
74 2.1.4 |
|
75 |
|
76 |