From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 16 Sep 2019 12:37:16 +0000 (+0200)
Subject: Fix use-after-free due to packed->mixed conversion with __unserialize()
X-Git-Tag: php-7.4.0RC2~19
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c3376bf7aebe193185ee5970b9d1e7f56f8c15d6;p=php

Fix use-after-free due to packed->mixed conversion with __unserialize()
---

diff --git a/ext/standard/tests/serialize/__serialize_007.phpt b/ext/standard/tests/serialize/__serialize_007.phpt
new file mode 100644
index 0000000000..32cad44dba
--- /dev/null
+++ b/ext/standard/tests/serialize/__serialize_007.phpt
@@ -0,0 +1,15 @@
+--TEST--
+No packed -> mixed reallocation while populating __unserialize() array
+--FILE--
+<?php
+
+$payload = 'O:13:"ArrayIterator":2:{i:0;i:0;s:1:"x";R:2;}';
+try {
+    var_dump(unserialize($payload));
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Incomplete or ill-typed serialization data
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index fcc68dc431..1c0eaf6216 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -651,6 +651,8 @@ static inline int object_common(UNSERIALIZE_PARAMETER, zend_long elements, zend_
 		}
 
 		array_init_size(&ary, elements);
+		/* Avoid reallocation due to packed -> mixed conversion. */
+		zend_hash_real_init_mixed(Z_ARRVAL(ary));
 		if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_ARRVAL(ary), elements, NULL)) {
 			ZVAL_DEREF(rval);
 			GC_ADD_FLAGS(Z_OBJ_P(rval), IS_OBJ_DESTRUCTOR_CALLED);