]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f06a069)
Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList
authorStanislav Malyshev <stas@php.net>
Tue, 1 Sep 2015 07:20:45 +0000 (00:20 -0700)
committerStanislav Malyshev <stas@php.net>
Tue, 1 Sep 2015 07:20:45 +0000 (00:20 -0700)
ext/spl/spl_dllist.c patch | blob | history
ext/spl/tests/bug70365.phpt patch | blob | history
ext/spl/tests/bug70366.phpt [new file with mode: 0644] patch | blob

diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
index 011d7a6e3c43634139fa59094b64f13646a8f00e..ebe61c3f7a7fcc90568b91d115ae5b5a0783629d 100644 (file)
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -1221,6 +1221,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
                        zval_ptr_dtor(&elem);
                        goto error;
                }
+               var_push_dtor(&var_hash, &elem);
 
                spl_ptr_llist_push(intern->llist, elem TSRMLS_CC);
        }
diff --git a/ext/spl/tests/bug70365.phpt b/ext/spl/tests/bug70365.phpt
index bd57360d3aa0b614664da219408a6ce699ea9163..c18110e3ca17b9ec0093edb95f9b39ca5155c368 100644 (file)
--- a/ext/spl/tests/bug70365.phpt
+++ b/ext/spl/tests/bug70365.phpt
@@ -1,5 +1,5 @@
 --TEST--
-SPL: Bug #70365 yet another use-after-free vulnerability in unserialize() with SplObjectStorage
+SPL: Bug #70365 use-after-free vulnerability in unserialize() with SplObjectStorage
 --FILE--
 <?php
 class obj {
diff --git a/ext/spl/tests/bug70366.phpt b/ext/spl/tests/bug70366.phpt
new file mode 100644 (file)
index 0000000..c9aa584
--- /dev/null
+++ b/ext/spl/tests/bug70366.phpt
@@ -0,0 +1,54 @@
+--TEST--
+SPL: Bug #70366 use-after-free vulnerability in unserialize() with SplDoublyLinkedList
+--FILE--
+<?php
+class obj {
+       var $ryat;
+       function __wakeup() {
+               $this->ryat = 1;
+       }
+}
+
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+
+$inner = 'i:1234;:i:1;';
+$exploit = 'a:5:{i:0;i:1;i:1;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;a:1:{i:0;R:5;}i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
+
+$data = unserialize($exploit);
+
+var_dump($data);
+
+function ptr2str($ptr)
+{
+       $out = '';
+       for ($i = 0; $i < 8; $i++) {
+               $out .= chr($ptr & 0xff);
+               $ptr >>= 8;
+       }
+       return $out;
+}
+?>
+--EXPECTF--
+array(5) {
+  [0]=>
+  int(1)
+  [1]=>
+  &int(1)
+  [2]=>
+  object(obj)#%d (1) {
+    ["ryat"]=>
+    &int(1)
+  }
+  [3]=>
+  array(1) {
+    [0]=>
+    int(1)
+  }
+  [4]=>
+  string(24) "%s"
+}
\ No newline at end of file
Unnamed repository; edit this file 'description' to name the repository.