Fixed bug #68976 - Use After Free Vulnerability in unserialize()

author Stanislav Malyshev <stas@php.net>

Tue, 17 Mar 2015 20:20:22 +0000 (13:20 -0700)

committer Stanislav Malyshev <stas@php.net>

Tue, 17 Mar 2015 23:31:52 +0000 (16:31 -0700)
author Stanislav Malyshev <stas@php.net>
Tue, 17 Mar 2015 20:20:22 +0000 (13:20 -0700)
committer Stanislav Malyshev <stas@php.net>
Tue, 17 Mar 2015 23:31:52 +0000 (16:31 -0700)
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re

index 0b8a8ccf167d2a8c216f0efc85caec75e1941482..cfb116a447a8e8068b057f69f74336d72ad630bf 100644 (file)
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -396,6 +396,8 @@ string_key:
                         return 0;
                 }
  
+               var_push_dtor(var_hash, data);
+
                 if (elements && *(*p-1) != ';' && *(*p-1) != '}') {
                         (*p)--;
                         return 0;
author	Stanislav Malyshev <stas@php.net>
	Tue, 17 Mar 2015 20:20:22 +0000 (13:20 -0700)
committer	Stanislav Malyshev <stas@php.net>
	Tue, 17 Mar 2015 23:31:52 +0000 (16:31 -0700)