Fixed bug #73900

author Nikita Popov <nikita.ppv@gmail.com>

Sun, 25 Jun 2017 17:48:17 +0000 (19:48 +0200)

committer Nikita Popov <nikita.ppv@gmail.com>

Sun, 25 Jun 2017 17:48:17 +0000 (19:48 +0200)
author Nikita Popov <nikita.ppv@gmail.com>
Sun, 25 Jun 2017 17:48:17 +0000 (19:48 +0200)
committer Nikita Popov <nikita.ppv@gmail.com>
Sun, 25 Jun 2017 17:48:17 +0000 (19:48 +0200)
diff --git a/NEWS b/NEWS

index d0ddb656b0c186f2fa17dbc3e68943143f2c9b8f..58e7654de870878c0ef6a7ff20802eb1bc3da939 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ PHP                                                                        NEWS
    . Fixed bug #74780 (parse_url() borken when query string contains colon). 
      (jhdxr)
    . Fixed bug #74761 (Unary operator expected error on some systems). (petk)
+  . Fixed bug #73900 (Use After Free in unserialize() SplFixedArray). (nikic)
  
  - SPL:
    . Fixed bug #73471 (PHP freezes with AppendIterator). (jhdxr)
diff --git a/Zend/tests/bug73900.phpt b/Zend/tests/bug73900.phpt

new file mode 100644 (file)

index 0000000..fbd5b86
--- /dev/null
+++ b/Zend/tests/bug73900.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #73900: Use After Free in unserialize() SplFixedArray
+--FILE--
+<?php
+
+$a = new stdClass;
+$b = new SplFixedArray(1);
+$b[0] = $a;
+$c = &$b[0];
+var_dump($c);
+
+?>
+--EXPECT--
+object(stdClass)#1 (0) {
+}
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c

index a5d09f41e8d96b557d3506ffbb373f6d4d38a34c..a4fb7ae10ba8a33e113f36484e8a865ae5987bdf 100644 (file)
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1758,16 +1758,9 @@ convert_to_array:
                                 zend_error(E_NOTICE, "Indirect modification of overloaded element of %s has no effect", ZSTR_VAL(ce->name));
                         } else if (EXPECTED(retval && Z_TYPE_P(retval) != IS_UNDEF)) {
                                 if (!Z_ISREF_P(retval)) {
-                                       if (Z_REFCOUNTED_P(retval) &&
-                                           Z_REFCOUNT_P(retval) > 1) {
-                                               if (Z_TYPE_P(retval) != IS_OBJECT) {
-                                                       Z_DELREF_P(retval);
-                                                       ZVAL_DUP(result, retval);
-                                                       retval = result;
-                                               } else {
-                                                       ZVAL_COPY_VALUE(result, retval);
-                                                       retval = result;
-                                               }
+                                       if (result != retval) {
+                                               ZVAL_COPY(result, retval);
+                                               retval = result;
                                         }
                                         if (Z_TYPE_P(retval) != IS_OBJECT) {
                                                 zend_class_entry *ce = Z_OBJCE_P(container);
author	Nikita Popov <nikita.ppv@gmail.com>
	Sun, 25 Jun 2017 17:48:17 +0000 (19:48 +0200)
committer	Nikita Popov <nikita.ppv@gmail.com>
	Sun, 25 Jun 2017 17:48:17 +0000 (19:48 +0200)
NEWS		patch \| blob \| history
Zend/tests/bug73900.phpt	[new file with mode: 0644]	patch \| blob
Zend/zend_execute.c		patch \| blob \| history