*count = spl_ptr_llist_count(intern->llist);
return SUCCESS;
-}
+}
/* }}} */
static HashTable* spl_dllist_object_get_debug_info(zval *obj, int *is_temp TSRMLS_DC) /* {{{{ */
spl_ptr_llist_push(intern->llist, value TSRMLS_CC);
RETURN_TRUE;
-}
+}
/* }}} */
/* {{{ proto bool SplDoublyLinkedList::unshift(mixed $value) U
}
RETURN_ZVAL(value, 1, 1);
-}
+}
/* }}} */
/* {{{ proto mixed SplDoublyLinkedList::shift() U
}
RETURN_ZVAL(value, 1, 1);
-}
+}
/* }}} */
/* {{{ proto mixed SplDoublyLinkedList::top() U
SPL_METHOD(SplDoublyLinkedList, key)
{
spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
SPL_METHOD(SplDoublyLinkedList, prev)
{
spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
SPL_METHOD(SplDoublyLinkedList, next)
{
spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
SPL_METHOD(SplDoublyLinkedList, valid)
{
spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
SPL_METHOD(SplDoublyLinkedList, rewind)
{
spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
{
spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
spl_ptr_llist_element *element = intern->traverse_pointer;
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
} else {
RETURN_NULL();
}
-
+
} /* }}} */
/* {{{ proto void SplDoublyLinkedList::unserialize(string serialized)
int buf_len;
const unsigned char *p, *s;
php_unserialize_data_t var_hash;
-
+
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
return;
}
zval_ptr_dtor(&flags);
goto error;
}
+ var_push_dtor(&var_hash, &flags);
intern->flags = Z_LVAL_P(flags);
zval_ptr_dtor(&flags);
--- /dev/null
+--TEST--
+SPL: Bug #70169 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
+--FILE--
+<?php
+$inner = 'i:1;';
+$exploit = 'a:2:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';
+
+$data = unserialize($exploit);
+
+for($i = 0; $i < 5; $i++) {
+ $v[$i] = 'hi'.$i;
+}
+
+var_dump($data);
+?>
+===DONE===
+--EXPECTF--
+array(2) {
+ [0]=>
+ object(SplDoublyLinkedList)#%d (2) {
+ ["flags":"SplDoublyLinkedList":private]=>
+ int(1)
+ ["dllist":"SplDoublyLinkedList":private]=>
+ array(0) {
+ }
+ }
+ [1]=>
+ int(1)
+}
+===DONE===
projects / php / commitdiff