Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/php/php56/patches/CVE-2015-6834_70365.patch
changeset 5116 867d838118ad 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php/php56/patches/CVE-2015-6834_70365.patch	Thu Nov 19 22:52:15 2015 -0800
@@ -0,0 +1,96 @@
+# Source: upstream
+# http://git.php.net/?p=php-src.git;a=commit;h=f06a069c462d37c2e009f6d1d93b8c8e7b713393
+# https://bugs.php.net/bug.php?id=70365
+
+From f06a069c462d37c2e009f6d1d93b8c8e7b713393 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <[email protected]>
+Date: Tue, 1 Sep 2015 00:14:15 -0700
+Subject: [PATCH] Fix bug #70365 - use-after-free vulnerability in
+ unserialize() with SplObjectStorage
+
+---
+ ext/spl/spl_observer.c      |  2 ++
+ ext/spl/tests/bug70365.phpt | 50 +++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 52 insertions(+)
+ create mode 100644 ext/spl/tests/bug70365.phpt
+
+diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
+index 5d94a3b..6a2e321 100644
+--- a/ext/spl/spl_observer.c
++++ b/ext/spl/spl_observer.c
+@@ -853,6 +853,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
+ 			zval_ptr_dtor(&pentry);
+ 			goto outexcept;
+ 		}
++		var_push_dtor(&var_hash, &pentry);
+ 		if(Z_TYPE_P(pentry) != IS_OBJECT) {
+ 			zval_ptr_dtor(&pentry);
+ 			goto outexcept;
+@@ -864,6 +865,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
+ 				zval_ptr_dtor(&pinf);
+ 				goto outexcept;
+ 			}
++			var_push_dtor(&var_hash, &pinf);
+ 		}
+ 
+ 		hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC);
+diff --git a/ext/spl/tests/bug70365.phpt b/ext/spl/tests/bug70365.phpt
+new file mode 100644
+index 0000000..bd57360
+--- /dev/null
++++ b/ext/spl/tests/bug70365.phpt
+@@ -0,0 +1,50 @@
++--TEST--
++SPL: Bug #70365 yet another use-after-free vulnerability in unserialize() with SplObjectStorage
++--FILE--
++<?php
++class obj {
++	var $ryat;
++	function __wakeup() {
++		$this->ryat = 1;
++	}
++}
++
++$fakezval = ptr2str(1122334455);
++$fakezval .= ptr2str(0);
++$fakezval .= "\x00\x00\x00\x00";
++$fakezval .= "\x01";
++$fakezval .= "\x00";
++$fakezval .= "\x00\x00";
++
++$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}';
++$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
++
++$data = unserialize($exploit);
++
++var_dump($data);
++
++function ptr2str($ptr)
++{
++	$out = '';
++	for ($i = 0; $i < 8; $i++) {
++		$out .= chr($ptr & 0xff);
++		$ptr >>= 8;
++	}
++	return $out;
++}
++--EXPECTF--
++array(5) {
++  [0]=>
++  int(1)
++  [1]=>
++  &int(1)
++  [2]=>
++  object(obj)#%d (1) {
++    ["ryat"]=>
++    &int(1)
++  }
++  [3]=>
++  int(1)
++  [4]=>
++  string(24) "%s"
++}
+-- 
+2.1.4
+
+
upstream/oracle/userland-gate