--- /dev/null
+--TEST--
+Bug #72663 (2): Don't allow references into failed unserialize
+--FILE--
+<?php
+
+class obj implements Serializable {
+ public $data;
+ function serialize() {
+ return serialize($this->data);
+ }
+ function unserialize($data) {
+ $this->data = unserialize($data);
+ }
+}
+
+$inner = 'a:1:{i:0;O:9:"Exception":2:{s:7:"'."\0".'*'."\0".'file";R:4;}';
+$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:4;}';
+var_dump(unserialize($exploit));
+
+?>
+--EXPECTF--
+Notice: unserialize(): Unexpected end of serialized data in %s on line %d
+
+Notice: unserialize(): Error at offset 46 of 47 bytes in %s on line %d
+
+Notice: unserialize(): Error at offset 79 of 80 bytes in %s on line %d
+bool(false)
#define UNSERIALIZE_PARAMETER zval *rval, const unsigned char **p, const unsigned char *max, php_unserialize_data_t *var_hash, HashTable *classes
#define UNSERIALIZE_PASSTHRU rval, p, max, var_hash, classes
+static int php_var_unserialize_internal(UNSERIALIZE_PARAMETER);
+
static zend_always_inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, zend_long elements, int objprops)
{
while (elements-- > 0) {
ZVAL_UNDEF(&key);
- if (!php_var_unserialize_ex(&key, p, max, NULL, classes)) {
+ if (!php_var_unserialize_internal(&key, p, max, NULL, classes)) {
zval_dtor(&key);
return 0;
}
}
}
- if (!php_var_unserialize_ex(data, p, max, var_hash, classes)) {
+ if (!php_var_unserialize_internal(data, p, max, var_hash, classes)) {
zval_dtor(&key);
return 0;
}
return php_var_unserialize_ex(UNSERIALIZE_PASSTHRU);
}
-
PHPAPI int php_var_unserialize_ex(UNSERIALIZE_PARAMETER)
+{
+ var_entries *orig_var_entries = (*var_hash)->last;
+ zend_long orig_used_slots = orig_var_entries ? orig_var_entries->used_slots : 0;
+ int result;
+
+ result = php_var_unserialize_internal(UNSERIALIZE_PASSTHRU);
+
+ if (!result) {
+ /* If the unserialization failed, mark all elements that have been added to var_hash
+ * as NULL. This will forbid their use by other unserialize() calls in the same
+ * unserialization context. */
+ var_entries *e = orig_var_entries;
+ zend_long s = orig_used_slots;
+ while (e) {
+ for (; s < e->used_slots; s++) {
+ e->data[s] = NULL;
+ }
+
+ e = e->next;
+ s = 0;
+ }
+ }
+
+ return result;
+}
+
+static int php_var_unserialize_internal(UNSERIALIZE_PARAMETER)
{
const unsigned char *cursor, *limit, *marker, *start;
zval *rval_ref;
start = cursor;
-#line 526 "ext/standard/var_unserializer.c"
+#line 554 "ext/standard/var_unserializer.c"
{
YYCTYPE yych;
static const unsigned char yybm[] = {
#define UNSERIALIZE_PARAMETER zval *rval, const unsigned char **p, const unsigned char *max, php_unserialize_data_t *var_hash, HashTable *classes
#define UNSERIALIZE_PASSTHRU rval, p, max, var_hash, classes
+static int php_var_unserialize_internal(UNSERIALIZE_PARAMETER);
+
static zend_always_inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, zend_long elements, int objprops)
{
while (elements-- > 0) {
ZVAL_UNDEF(&key);
- if (!php_var_unserialize_ex(&key, p, max, NULL, classes)) {
+ if (!php_var_unserialize_internal(&key, p, max, NULL, classes)) {
zval_dtor(&key);
return 0;
}
}
}
- if (!php_var_unserialize_ex(data, p, max, var_hash, classes)) {
+ if (!php_var_unserialize_internal(data, p, max, var_hash, classes)) {
zval_dtor(&key);
return 0;
}
return php_var_unserialize_ex(UNSERIALIZE_PASSTHRU);
}
-
PHPAPI int php_var_unserialize_ex(UNSERIALIZE_PARAMETER)
+{
+ var_entries *orig_var_entries = (*var_hash)->last;
+ zend_long orig_used_slots = orig_var_entries ? orig_var_entries->used_slots : 0;
+ int result;
+
+ result = php_var_unserialize_internal(UNSERIALIZE_PASSTHRU);
+
+ if (!result) {
+ /* If the unserialization failed, mark all elements that have been added to var_hash
+ * as NULL. This will forbid their use by other unserialize() calls in the same
+ * unserialization context. */
+ var_entries *e = orig_var_entries;
+ zend_long s = orig_used_slots;
+ while (e) {
+ for (; s < e->used_slots; s++) {
+ e->data[s] = NULL;
+ }
+
+ e = e->next;
+ s = 0;
+ }
+ }
+
+ return result;
+}
+
+static int php_var_unserialize_internal(UNSERIALIZE_PARAMETER)
{
const unsigned char *cursor, *limit, *marker, *start;
zval *rval_ref;
projects / php / commitdiff