From: Xinchen Hui Date: Wed, 2 Jul 2014 09:57:42 +0000 (+0800) Subject: Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting) X-Git-Tag: php-5.5.15RC1~23 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=22882a9d89712ff2b6ebc20a689a89452bba4dcd;p=php Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting) --- diff --git a/NEWS b/NEWS index 7d23ec0ede..4a848548ab 100644 --- a/NEWS +++ b/NEWS @@ -22,6 +22,8 @@ PHP NEWS which affected builds against libpq < 7.3. (Adam) - SPL: + . Fixed bug #67539 (ArrayIterator use-after-free due to object change during + sorting). (research at insighti dot org, Laruence) . Fixed bug #67538 (SPL Iterators use-after-free). (Laruence) - Streams: diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 8392e72714..0fe47b651c 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -1733,6 +1733,7 @@ SPL_METHOD(Array, unserialize) const unsigned char *p, *s; php_unserialize_data_t var_hash; zval *pmembers, *pflags = NULL; + HashTable *aht; long flags; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) { @@ -1744,6 +1745,12 @@ SPL_METHOD(Array, unserialize) return; } + aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); + if (aht->nApplyCount > 0) { + zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited"); + return; + } + /* storage */ s = p = (const unsigned char*)buf; PHP_VAR_UNSERIALIZE_INIT(var_hash); diff --git a/ext/spl/tests/bug67539.phpt b/ext/spl/tests/bug67539.phpt new file mode 100644 index 0000000000..8bab2a8c21 --- /dev/null +++ b/ext/spl/tests/bug67539.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #67539 (ArrayIterator use-after-free due to object change during sorting) +--FILE-- +unserialize($GLOBALS['it']->serialize()); + return TRUE; +} + +$it->uksort('badsort'); +--EXPECTF-- +Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d