From: Stanislav Malyshev <stas@php.net>
Date: Mon, 18 Jan 2016 07:23:42 +0000 (-0800)
Subject: Fix bug #71313 - Use-after-free vulnerability in SPL(SplObjectStorage, unserialize)
X-Git-Tag: php-7.0.3~15
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=52e0c4081f8454e9086fc7d1bd1a338ac4e05868;p=php

Fix bug #71313 - Use-after-free vulnerability in SPL(SplObjectStorage, unserialize)
---

diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index 154a3c08d5..e8d6074653 100644
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -821,7 +821,9 @@ SPL_METHOD(SplObjectStorage, unserialize)
 		var_replace(&var_hash, &entry, &element->obj);
 		var_replace(&var_hash, &inf, &element->inf);
 		zval_ptr_dtor(&entry);
+		ZVAL_UNDEF(&entry);
 		zval_ptr_dtor(&inf);
+		ZVAL_UNDEF(&inf);
 	}
 
 	if (*p != ';') {
diff --git a/ext/standard/tests/serialize/bug71313.phpt b/ext/standard/tests/serialize/bug71313.phpt
new file mode 100644
index 0000000000..260235b9cd
--- /dev/null
+++ b/ext/standard/tests/serialize/bug71313.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #71311 Use-after-free vulnerability in SPL(SplObjectStorage, unserialize)
+--FILE--
+<?php
+$data = unserialize("C:16:\"SplObjectStorage\":113:{x:i:2;O:8:\"stdClass\":0:{},a:2:{s:4:\"prev\";i:2;s:4:\"next\";O:8:\"stdClass\":0:{}};r:7;,R:2;s:4:\"next\";;r:3;};m:a:0:{}}");
+var_dump($data);
+?>
+--EXPECTF--
+Fatal error: Uncaught UnexpectedValueException: Error at offset 82 of 113 bytes in %s/bug71313.php:2
+Stack trace:
+#0 [internal function]: SplObjectStorage->unserialize('%s')
+#1 %s/bug71313.php(2): unserialize('%s')
+#2 {main}
+  thrown in %s/bug71313.php on line 2