From: Stanislav Malyshev Date: Sun, 2 Aug 2015 04:51:08 +0000 (-0700) Subject: Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList) X-Git-Tag: php-5.4.44~9 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=863bf294feb9ad425eadb94f288bc7f18673089d;p=php Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList) --- diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c index b5ddfc0f59..011d7a6e3c 100644 --- a/ext/spl/spl_dllist.c +++ b/ext/spl/spl_dllist.c @@ -500,7 +500,7 @@ static int spl_dllist_object_count_elements(zval *object, long *count TSRMLS_DC) *count = spl_ptr_llist_count(intern->llist); return SUCCESS; -} +} /* }}} */ static HashTable* spl_dllist_object_get_debug_info(zval *obj, int *is_temp TSRMLS_DC) /* {{{{ */ @@ -571,7 +571,7 @@ SPL_METHOD(SplDoublyLinkedList, push) spl_ptr_llist_push(intern->llist, value TSRMLS_CC); RETURN_TRUE; -} +} /* }}} */ /* {{{ proto bool SplDoublyLinkedList::unshift(mixed $value) U @@ -614,7 +614,7 @@ SPL_METHOD(SplDoublyLinkedList, pop) } RETURN_ZVAL(value, 1, 1); -} +} /* }}} */ /* {{{ proto mixed SplDoublyLinkedList::shift() U @@ -637,7 +637,7 @@ SPL_METHOD(SplDoublyLinkedList, shift) } RETURN_ZVAL(value, 1, 1); -} +} /* }}} */ /* {{{ proto mixed SplDoublyLinkedList::top() U @@ -1051,7 +1051,7 @@ static void spl_dllist_it_move_forward(zend_object_iterator *iter TSRMLS_DC) /* SPL_METHOD(SplDoublyLinkedList, key) { spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC); - + if (zend_parse_parameters_none() == FAILURE) { return; } @@ -1065,7 +1065,7 @@ SPL_METHOD(SplDoublyLinkedList, key) SPL_METHOD(SplDoublyLinkedList, prev) { spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC); - + if (zend_parse_parameters_none() == FAILURE) { return; } @@ -1079,7 +1079,7 @@ SPL_METHOD(SplDoublyLinkedList, prev) SPL_METHOD(SplDoublyLinkedList, next) { spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC); - + if (zend_parse_parameters_none() == FAILURE) { return; } @@ -1093,7 +1093,7 @@ SPL_METHOD(SplDoublyLinkedList, next) SPL_METHOD(SplDoublyLinkedList, valid) { spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC); - + if (zend_parse_parameters_none() == FAILURE) { return; } @@ -1107,7 +1107,7 @@ SPL_METHOD(SplDoublyLinkedList, valid) SPL_METHOD(SplDoublyLinkedList, rewind) { spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC); - + if (zend_parse_parameters_none() == FAILURE) { return; } @@ -1122,7 +1122,7 @@ SPL_METHOD(SplDoublyLinkedList, current) { spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC); spl_ptr_llist_element *element = intern->traverse_pointer; - + if (zend_parse_parameters_none() == FAILURE) { return; } @@ -1177,7 +1177,7 @@ SPL_METHOD(SplDoublyLinkedList, serialize) } else { RETURN_NULL(); } - + } /* }}} */ /* {{{ proto void SplDoublyLinkedList::unserialize(string serialized) @@ -1190,7 +1190,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize) int buf_len; const unsigned char *p, *s; php_unserialize_data_t var_hash; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) { return; } @@ -1209,6 +1209,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize) zval_ptr_dtor(&flags); goto error; } + var_push_dtor(&var_hash, &flags); intern->flags = Z_LVAL_P(flags); zval_ptr_dtor(&flags); diff --git a/ext/spl/tests/bug70169.phpt b/ext/spl/tests/bug70169.phpt new file mode 100644 index 0000000000..9d814be5fa --- /dev/null +++ b/ext/spl/tests/bug70169.phpt @@ -0,0 +1,30 @@ +--TEST-- +SPL: Bug #70169 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList +--FILE-- + +===DONE=== +--EXPECTF-- +array(2) { + [0]=> + object(SplDoublyLinkedList)#%d (2) { + ["flags":"SplDoublyLinkedList":private]=> + int(1) + ["dllist":"SplDoublyLinkedList":private]=> + array(0) { + } + } + [1]=> + int(1) +} +===DONE===