Fix bug #73147: Use After Free in PHP7 unserialize()

(cherry picked from commit 0e6fe3a4c96be2d3e88389a5776f878021b4c59f)

diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index 81ab75794071bbfae7a9b5f674376ce05b12fd81..5270d7fa1382e3bbb30f916a1c555477d5c77d6d 100644 (file)
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -3847,6 +3847,24 @@ ZEND_API void zend_update_property_null(zend_class_entry *scope, zval *object, c
 }
 /* }}} */
 
+ZEND_API void zend_unset_property(zend_class_entry *scope, zval *object, const char *name, size_t name_length) /* {{{ */
+{
+       zval property;
+       zend_class_entry *old_scope = EG(scope);
+
+       EG(scope) = scope;
+
+       if (!Z_OBJ_HT_P(object)->unset_property) {
+               zend_error_noreturn(E_CORE_ERROR, "Property %s of class %s cannot be unset", name, ZSTR_VAL(Z_OBJCE_P(object)->name));
+       }
+       ZVAL_STRINGL(&property, name, name_length);
+       Z_OBJ_HT_P(object)->unset_property(object, &property, 0);
+       zval_ptr_dtor(&property);
+
+       EG(scope) = old_scope;
+}
+/* }}} */
+
 ZEND_API void zend_update_property_bool(zend_class_entry *scope, zval *object, const char *name, size_t name_length, zend_long value) /* {{{ */
 {
        zval tmp;

diff --git a/Zend/zend_API.h b/Zend/zend_API.h
index 7fd7756674f28638e8211217840ac5f33bbc8285..15d24edfbf2406c3e611756506f0c9421016aa26 100644 (file)
--- a/Zend/zend_API.h
+++ b/Zend/zend_API.h
@@ -343,6 +343,7 @@ ZEND_API void zend_update_property_double(zend_class_entry *scope, zval *object,
 ZEND_API void zend_update_property_str(zend_class_entry *scope, zval *object, const char *name, size_t name_length, zend_string *value);
 ZEND_API void zend_update_property_string(zend_class_entry *scope, zval *object, const char *name, size_t name_length, const char *value);
 ZEND_API void zend_update_property_stringl(zend_class_entry *scope, zval *object, const char *name, size_t name_length, const char *value, size_t value_length);
+ZEND_API void zend_unset_property(zend_class_entry *scope, zval *object, const char *name, size_t name_length);
 
 ZEND_API int zend_update_static_property(zend_class_entry *scope, const char *name, size_t name_length, zval *value);
 ZEND_API int zend_update_static_property_null(zend_class_entry *scope, const char *name, size_t name_length);

diff --git a/ext/curl/curl_file.c b/ext/curl/curl_file.c
index de173a5f42ca926435f682dfc31f648e71f271d9..ba8a7de10898abf42a642bc9664126a848d8c4cf 100644 (file)
--- a/ext/curl/curl_file.c
+++ b/ext/curl/curl_file.c
@@ -137,6 +137,7 @@ ZEND_METHOD(CURLFile, setPostFilename)
    Unserialization handler */
 ZEND_METHOD(CURLFile, __wakeup)
 {
+       zend_unset_property(curl_CURLFile_class, getThis(), "name", sizeof("name")-1);
        zend_update_property_string(curl_CURLFile_class, getThis(), "name", sizeof("name")-1, "");
        zend_throw_exception(NULL, "Unserialization of CURLFile instances is not allowed", 0);
 }

diff --git a/ext/curl/tests/bug73147.phpt b/ext/curl/tests/bug73147.phpt
new file mode 100644 (file)
index 0000000..118177d
--- /dev/null
+++ b/ext/curl/tests/bug73147.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #73147: Use After Free in PHP7 unserialize()
+--SKIPIF--
+<?php
+if (!extension_loaded("curl")) {
+        exit("skip curl extension not loaded");
+}
+?>
+--FILE--
+<?php
+
+$poc = 'a:1:{i:0;O:8:"CURLFile":1:{s:4:"name";R:1;}}';
+try {
+var_dump(unserialize($poc));
+} catch(Exception $e) {
+       echo $e->getMessage();
+}
+?>
+--EXPECT--
+Unserialization of CURLFile instances is not allowed