From: Stanislav Malyshev <stas@php.net>
Date: Mon, 24 Oct 2016 04:56:35 +0000 (-0700)
Subject: Fix bug #73144 and bug #73341 - remove extra dtor
X-Git-Tag: php-7.1.0RC6~4^2^2~3
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7cf7920055d44da72529b4277e6890c99cf1932e;p=php

Fix bug #73144 and bug #73341 - remove extra dtor

(cherry picked from commit f74d7d92c8bc1edc2505e0b58546217e9e1ecb40)

Conflicts:
	ext/spl/spl_array.c

Merged the test only, in 7.0 tree the removed dtor call is already
not present.
---

diff --git a/ext/standard/tests/serialize/bug73341.phpt b/ext/standard/tests/serialize/bug73341.phpt
new file mode 100644
index 0000000000..55423217c3
--- /dev/null
+++ b/ext/standard/tests/serialize/bug73341.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #73144 (Use-afte-free in ArrayObject Deserialization)
+--FILE--
+<?php
+try {
+$token = 'a:2:{i:0;O:1:"0":2:0s:1:"0";i:0;s:1:"0";a:1:{i:0;C:11:"ArrayObject":7:0x:i:0;r0';
+$obj = unserialize($token);
+} catch(Exception $e) {
+	echo $e->getMessage()."\n";
+}
+
+try {
+$inner = 'x:i:1;O:8:"stdClass":1:{};m:a:0:{}';
+$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}';
+unserialize($exploit);
+} catch(Exception $e) {
+	echo $e->getMessage()."\n";
+}
+?>
+--EXPECTF--
+Error at offset 6 of 7 bytes
+
+Notice: ArrayObject::unserialize(): Unexpected end of serialized data in %sbug73341.php on line %d
+Error at offset 24 of 34 bytes
\ No newline at end of file