From: Stanislav Malyshev <stas@php.net>
Date: Fri, 12 Dec 2014 03:28:32 +0000 (-0800)
Subject: Fix bug #68594 - Use after free vulnerability in unserialize()
X-Git-Tag: php-5.4.36~3
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=630f9c33c23639de85c3fd306b209b538b73b4c9;p=php

Fix bug #68594 - Use after free vulnerability in unserialize()
---

diff --git a/NEWS b/NEWS
index f80cffe575..0ffbd1166b 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,8 @@ PHP                                                                        NEWS
 - Core:
   . Upgraded crypt_blowfish to version 1.3. (Leigh)
   . Fixed bug #68545 (NULL pointer dereference in unserialize.c). (Anatol)
+  . Fixed bug #68594 (Use after free vulnerability in unserialize()).
+    (Stefan Esser)
 
 13 Nov 2014 PHP 5.4.35
 
diff --git a/ext/standard/tests/serialize/bug68594.phpt b/ext/standard/tests/serialize/bug68594.phpt
new file mode 100644
index 0000000000..60fc7a76ab
--- /dev/null
+++ b/ext/standard/tests/serialize/bug68594.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #68545 Use after free vulnerability in unserialize()
+--FILE--
+<?php
+for ($i=4; $i<100; $i++) {
+	$m = new StdClass();
+
+	$u = array(1);
+
+	$m->aaa = array(1,2,&$u,4,5);
+	$m->bbb = 1;
+	$m->ccc = &$u;
+	$m->ddd = str_repeat("A", $i);
+
+	$z = serialize($m);
+	$z = str_replace("bbb", "aaa", $z);
+	$y = unserialize($z);
+	$z = serialize($y);
+}
+?>
+===DONE===
+--EXPECTF--
+===DONE===
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index f6f31bd3e7..a12d2fa24e 100644
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -1,4 +1,4 @@
-/* Generated by re2c 0.13.5 */
+/* Generated by re2c 0.13.7.5 on Thu Dec 11 19:26:19 2014 */
 #line 1 "ext/standard/var_unserializer.re"
 /*
   +----------------------------------------------------------------------+
@@ -343,6 +343,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 		} else {
 			/* object properties should include no integers */
 			convert_to_string(key);
+			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+				var_push_dtor(var_hash, old_data);
+			}
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
 					sizeof data, NULL);
 		}
@@ -480,7 +483,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	
 	
 
-#line 484 "ext/standard/var_unserializer.c"
+#line 487 "ext/standard/var_unserializer.c"
 {
 	YYCTYPE yych;
 	static const unsigned char yybm[] = {
@@ -540,9 +543,9 @@ yy2:
 	yych = *(YYMARKER = ++YYCURSOR);
 	if (yych == ':') goto yy95;
 yy3:
-#line 835 "ext/standard/var_unserializer.re"
+#line 838 "ext/standard/var_unserializer.re"
 	{ return 0; }
-#line 546 "ext/standard/var_unserializer.c"
+#line 549 "ext/standard/var_unserializer.c"
 yy4:
 	yych = *(YYMARKER = ++YYCURSOR);
 	if (yych == ':') goto yy89;
@@ -585,13 +588,13 @@ yy13:
 	goto yy3;
 yy14:
 	++YYCURSOR;
-#line 829 "ext/standard/var_unserializer.re"
+#line 832 "ext/standard/var_unserializer.re"
 	{
 	/* this is the case where we have less data than planned */
 	php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
 	return 0; /* not sure if it should be 0 or 1 here? */
 }
-#line 595 "ext/standard/var_unserializer.c"
+#line 598 "ext/standard/var_unserializer.c"
 yy16:
 	yych = *++YYCURSOR;
 	goto yy3;
@@ -617,11 +620,12 @@ yy20:
 	if (yybm[0+yych] & 128) {
 		goto yy20;
 	}
-	if (yych != ':') goto yy18;
+	if (yych <= '/') goto yy18;
+	if (yych >= ';') goto yy18;
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 683 "ext/standard/var_unserializer.re"
+#line 686 "ext/standard/var_unserializer.re"
 	{
 	size_t len, len2, len3, maxlen;
 	long elements;
@@ -767,7 +771,7 @@ yy20:
 
 	return object_common2(UNSERIALIZE_PASSTHRU, elements);
 }
-#line 771 "ext/standard/var_unserializer.c"
+#line 775 "ext/standard/var_unserializer.c"
 yy25:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -792,7 +796,7 @@ yy27:
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 675 "ext/standard/var_unserializer.re"
+#line 678 "ext/standard/var_unserializer.re"
 	{
 
 	INIT_PZVAL(*rval);
@@ -800,7 +804,7 @@ yy27:
 	return object_common2(UNSERIALIZE_PASSTHRU,
 			object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
 }
-#line 804 "ext/standard/var_unserializer.c"
+#line 808 "ext/standard/var_unserializer.c"
 yy32:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy33;
@@ -821,7 +825,7 @@ yy34:
 	yych = *++YYCURSOR;
 	if (yych != '{') goto yy18;
 	++YYCURSOR;
-#line 655 "ext/standard/var_unserializer.re"
+#line 658 "ext/standard/var_unserializer.re"
 	{
 	long elements = parse_iv(start + 2);
 	/* use iv() not uiv() in order to check data range */
@@ -841,7 +845,7 @@ yy34:
 
 	return finish_nested_data(UNSERIALIZE_PASSTHRU);
 }
-#line 845 "ext/standard/var_unserializer.c"
+#line 849 "ext/standard/var_unserializer.c"
 yy39:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy40;
@@ -862,7 +866,7 @@ yy41:
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 626 "ext/standard/var_unserializer.re"
+#line 629 "ext/standard/var_unserializer.re"
 	{
 	size_t len, maxlen;
 	char *str;
@@ -891,7 +895,7 @@ yy41:
 	ZVAL_STRINGL(*rval, str, len, 0);
 	return 1;
 }
-#line 895 "ext/standard/var_unserializer.c"
+#line 899 "ext/standard/var_unserializer.c"
 yy46:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy47;
@@ -912,7 +916,7 @@ yy48:
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 598 "ext/standard/var_unserializer.re"
+#line 601 "ext/standard/var_unserializer.re"
 	{
 	size_t len, maxlen;
 	char *str;
@@ -940,7 +944,7 @@ yy48:
 	ZVAL_STRINGL(*rval, str, len, 1);
 	return 1;
 }
-#line 944 "ext/standard/var_unserializer.c"
+#line 948 "ext/standard/var_unserializer.c"
 yy53:
 	yych = *++YYCURSOR;
 	if (yych <= '/') {
@@ -1028,7 +1032,7 @@ yy61:
 	}
 yy63:
 	++YYCURSOR;
-#line 588 "ext/standard/var_unserializer.re"
+#line 591 "ext/standard/var_unserializer.re"
 	{
 #if SIZEOF_LONG == 4
 use_double:
@@ -1038,7 +1042,7 @@ use_double:
 	ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
 	return 1;
 }
-#line 1042 "ext/standard/var_unserializer.c"
+#line 1046 "ext/standard/var_unserializer.c"
 yy65:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1097,7 +1101,7 @@ yy73:
 	yych = *++YYCURSOR;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 573 "ext/standard/var_unserializer.re"
+#line 576 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
@@ -1112,7 +1116,7 @@ yy73:
 
 	return 1;
 }
-#line 1116 "ext/standard/var_unserializer.c"
+#line 1120 "ext/standard/var_unserializer.c"
 yy76:
 	yych = *++YYCURSOR;
 	if (yych == 'N') goto yy73;
@@ -1139,7 +1143,7 @@ yy79:
 	if (yych <= '9') goto yy79;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 546 "ext/standard/var_unserializer.re"
+#line 549 "ext/standard/var_unserializer.re"
 	{
 #if SIZEOF_LONG == 4
 	int digits = YYCURSOR - start - 3;
@@ -1166,7 +1170,7 @@ yy79:
 	ZVAL_LONG(*rval, parse_iv(start + 2));
 	return 1;
 }
-#line 1170 "ext/standard/var_unserializer.c"
+#line 1174 "ext/standard/var_unserializer.c"
 yy83:
 	yych = *++YYCURSOR;
 	if (yych <= '/') goto yy18;
@@ -1174,24 +1178,24 @@ yy83:
 	yych = *++YYCURSOR;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 539 "ext/standard/var_unserializer.re"
+#line 542 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
 	ZVAL_BOOL(*rval, parse_iv(start + 2));
 	return 1;
 }
-#line 1185 "ext/standard/var_unserializer.c"
+#line 1189 "ext/standard/var_unserializer.c"
 yy87:
 	++YYCURSOR;
-#line 532 "ext/standard/var_unserializer.re"
+#line 535 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
 	ZVAL_NULL(*rval);
 	return 1;
 }
-#line 1195 "ext/standard/var_unserializer.c"
+#line 1199 "ext/standard/var_unserializer.c"
 yy89:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1214,7 +1218,7 @@ yy91:
 	if (yych <= '9') goto yy91;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 509 "ext/standard/var_unserializer.re"
+#line 512 "ext/standard/var_unserializer.re"
 	{
 	long id;
 
@@ -1237,7 +1241,7 @@ yy91:
 	
 	return 1;
 }
-#line 1241 "ext/standard/var_unserializer.c"
+#line 1245 "ext/standard/var_unserializer.c"
 yy95:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1260,7 +1264,7 @@ yy97:
 	if (yych <= '9') goto yy97;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 488 "ext/standard/var_unserializer.re"
+#line 491 "ext/standard/var_unserializer.re"
 	{
 	long id;
 
@@ -1281,9 +1285,9 @@ yy97:
 	
 	return 1;
 }
-#line 1285 "ext/standard/var_unserializer.c"
+#line 1289 "ext/standard/var_unserializer.c"
 }
-#line 837 "ext/standard/var_unserializer.re"
+#line 840 "ext/standard/var_unserializer.re"
 
 
 	return 0;
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 7afef6a95a..4cf1d10832 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -347,6 +347,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 		} else {
 			/* object properties should include no integers */
 			convert_to_string(key);
+			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+				var_push_dtor(var_hash, old_data);
+			}
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
 					sizeof data, NULL);
 		}