]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: aa82e99)
Fix bug #72562 - destroy var_hash properly
authorStanislav Malyshev <stas@php.net>
Wed, 13 Jul 2016 06:27:45 +0000 (23:27 -0700)
committerStanislav Malyshev <stas@php.net>
Wed, 13 Jul 2016 06:27:45 +0000 (23:27 -0700)
ext/session/session.c patch | blob | history
ext/session/tests/bug72562.phpt [new file with mode: 0644] patch | blob

diff --git a/ext/session/session.c b/ext/session/session.c
index f5439ea79c5b94b9c68adf8a1c5a77e8c318cf24..cb6cc01f219c12922f4ef7f4152aa08de2745123 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -866,7 +866,7 @@ PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */
        if (php_var_unserialize(&session_vars, &val, endptr, &var_hash TSRMLS_CC)) {
                var_push_dtor(&var_hash, &session_vars);
        }
-       
+
        PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
        if (PS(http_session_vars)) {
                zval_ptr_dtor(&PS(http_session_vars));
@@ -931,6 +931,7 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
                namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF);
 
                if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
+                       PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
                        return FAILURE;
                }
 
diff --git a/ext/session/tests/bug72562.phpt b/ext/session/tests/bug72562.phpt
new file mode 100644 (file)
index 0000000..d85e48b
--- /dev/null
+++ b/ext/session/tests/bug72562.phpt
@@ -0,0 +1,44 @@
+--TEST--
+Bug #72562: Use After Free in unserialize() with Unexpected Session Deserialization
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+
+ini_set('session.serialize_handler', 'php_binary');
+session_start();
+$sess = "\x1xi:1;\x2y";
+session_decode($sess);
+$uns_1 = '{';
+$out_1[] = unserialize($uns_1);
+unset($out_1);
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+for ($i = 0; $i < 5; $i++) {
+  $v[$i] = $fakezval.$i;
+}
+$uns_2 = 'R:2;';
+$out_2 = unserialize($uns_2);
+var_dump($out_2);
+
+function ptr2str($ptr)
+{
+       $out = '';
+       for ($i = 0; $i < 8; $i++) {
+               $out .= chr($ptr & 0xff);
+               $ptr >>= 8;
+       }
+       return $out;
+}
+?>
+--EXPECTF--
+Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s/bug72562.php on line %d
+
+Notice: unserialize(): Error at offset 0 of 1 bytes in %s/bug72562.php on line %d
+
+Notice: unserialize(): Error at offset 4 of 4 bytes in %s/bug72562.php on line %d
+bool(false)
Unnamed repository; edit this file 'description' to name the repository.