From 646572d6d3847d68124b03936719f60936b49a38 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 17 Mar 2015 13:20:22 -0700 Subject: [PATCH] Fixed bug #68976 - Use After Free Vulnerability in unserialize() --- NEWS | 3 +- ext/standard/var_unserializer.c | 63 ++++++++++++++++---------------- ext/standard/var_unserializer.re | 1 + 3 files changed, 35 insertions(+), 32 deletions(-) diff --git a/NEWS b/NEWS index 3fac92c805..5d4925b846 100644 --- a/NEWS +++ b/NEWS @@ -3,9 +3,10 @@ PHP NEWS ?? ??? 2015 PHP 5.4.39 - Core: - . Fixed bug #69207 (move_uploaded_file allows nulls in path). (Stas) + . Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (Stas) . Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) + . Fixed bug #69207 (move_uploaded_file allows nulls in path). (Stas) - SOAP: . Fixed bug #69085 (SoapClient's __call() type confusion through diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index f114080b86..ee0cac4762 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -1,4 +1,4 @@ -/* Generated by re2c 0.13.7.5 on Thu Jan 1 14:43:18 2015 */ +/* Generated by re2c 0.13.7.5 on Tue Mar 17 13:14:30 2015 */ #line 1 "ext/standard/var_unserializer.re" /* +----------------------------------------------------------------------+ @@ -349,6 +349,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof data, NULL); } + var_push_dtor(var_hash, &data); zval_dtor(key); FREE_ZVAL(key); @@ -483,7 +484,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER) -#line 487 "ext/standard/var_unserializer.c" +#line 488 "ext/standard/var_unserializer.c" { YYCTYPE yych; static const unsigned char yybm[] = { @@ -543,9 +544,9 @@ yy2: yych = *(YYMARKER = ++YYCURSOR); if (yych == ':') goto yy95; yy3: -#line 838 "ext/standard/var_unserializer.re" +#line 839 "ext/standard/var_unserializer.re" { return 0; } -#line 549 "ext/standard/var_unserializer.c" +#line 550 "ext/standard/var_unserializer.c" yy4: yych = *(YYMARKER = ++YYCURSOR); if (yych == ':') goto yy89; @@ -588,13 +589,13 @@ yy13: goto yy3; yy14: ++YYCURSOR; -#line 832 "ext/standard/var_unserializer.re" +#line 833 "ext/standard/var_unserializer.re" { /* this is the case where we have less data than planned */ php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data"); return 0; /* not sure if it should be 0 or 1 here? */ } -#line 598 "ext/standard/var_unserializer.c" +#line 599 "ext/standard/var_unserializer.c" yy16: yych = *++YYCURSOR; goto yy3; @@ -625,7 +626,7 @@ yy20: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 686 "ext/standard/var_unserializer.re" +#line 687 "ext/standard/var_unserializer.re" { size_t len, len2, len3, maxlen; long elements; @@ -771,7 +772,7 @@ yy20: return object_common2(UNSERIALIZE_PASSTHRU, elements); } -#line 775 "ext/standard/var_unserializer.c" +#line 776 "ext/standard/var_unserializer.c" yy25: yych = *++YYCURSOR; if (yych <= ',') { @@ -796,7 +797,7 @@ yy27: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 678 "ext/standard/var_unserializer.re" +#line 679 "ext/standard/var_unserializer.re" { INIT_PZVAL(*rval); @@ -804,7 +805,7 @@ yy27: return object_common2(UNSERIALIZE_PASSTHRU, object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR)); } -#line 808 "ext/standard/var_unserializer.c" +#line 809 "ext/standard/var_unserializer.c" yy32: yych = *++YYCURSOR; if (yych == '+') goto yy33; @@ -825,7 +826,7 @@ yy34: yych = *++YYCURSOR; if (yych != '{') goto yy18; ++YYCURSOR; -#line 658 "ext/standard/var_unserializer.re" +#line 659 "ext/standard/var_unserializer.re" { long elements = parse_iv(start + 2); /* use iv() not uiv() in order to check data range */ @@ -845,7 +846,7 @@ yy34: return finish_nested_data(UNSERIALIZE_PASSTHRU); } -#line 849 "ext/standard/var_unserializer.c" +#line 850 "ext/standard/var_unserializer.c" yy39: yych = *++YYCURSOR; if (yych == '+') goto yy40; @@ -866,7 +867,7 @@ yy41: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 629 "ext/standard/var_unserializer.re" +#line 630 "ext/standard/var_unserializer.re" { size_t len, maxlen; char *str; @@ -895,7 +896,7 @@ yy41: ZVAL_STRINGL(*rval, str, len, 0); return 1; } -#line 899 "ext/standard/var_unserializer.c" +#line 900 "ext/standard/var_unserializer.c" yy46: yych = *++YYCURSOR; if (yych == '+') goto yy47; @@ -916,7 +917,7 @@ yy48: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 601 "ext/standard/var_unserializer.re" +#line 602 "ext/standard/var_unserializer.re" { size_t len, maxlen; char *str; @@ -944,7 +945,7 @@ yy48: ZVAL_STRINGL(*rval, str, len, 1); return 1; } -#line 948 "ext/standard/var_unserializer.c" +#line 949 "ext/standard/var_unserializer.c" yy53: yych = *++YYCURSOR; if (yych <= '/') { @@ -1032,7 +1033,7 @@ yy61: } yy63: ++YYCURSOR; -#line 591 "ext/standard/var_unserializer.re" +#line 592 "ext/standard/var_unserializer.re" { #if SIZEOF_LONG == 4 use_double: @@ -1042,7 +1043,7 @@ use_double: ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL)); return 1; } -#line 1046 "ext/standard/var_unserializer.c" +#line 1047 "ext/standard/var_unserializer.c" yy65: yych = *++YYCURSOR; if (yych <= ',') { @@ -1101,7 +1102,7 @@ yy73: yych = *++YYCURSOR; if (yych != ';') goto yy18; ++YYCURSOR; -#line 576 "ext/standard/var_unserializer.re" +#line 577 "ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); @@ -1116,7 +1117,7 @@ yy73: return 1; } -#line 1120 "ext/standard/var_unserializer.c" +#line 1121 "ext/standard/var_unserializer.c" yy76: yych = *++YYCURSOR; if (yych == 'N') goto yy73; @@ -1143,7 +1144,7 @@ yy79: if (yych <= '9') goto yy79; if (yych != ';') goto yy18; ++YYCURSOR; -#line 549 "ext/standard/var_unserializer.re" +#line 550 "ext/standard/var_unserializer.re" { #if SIZEOF_LONG == 4 int digits = YYCURSOR - start - 3; @@ -1170,7 +1171,7 @@ yy79: ZVAL_LONG(*rval, parse_iv(start + 2)); return 1; } -#line 1174 "ext/standard/var_unserializer.c" +#line 1175 "ext/standard/var_unserializer.c" yy83: yych = *++YYCURSOR; if (yych <= '/') goto yy18; @@ -1178,24 +1179,24 @@ yy83: yych = *++YYCURSOR; if (yych != ';') goto yy18; ++YYCURSOR; -#line 542 "ext/standard/var_unserializer.re" +#line 543 "ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_BOOL(*rval, parse_iv(start + 2)); return 1; } -#line 1189 "ext/standard/var_unserializer.c" +#line 1190 "ext/standard/var_unserializer.c" yy87: ++YYCURSOR; -#line 535 "ext/standard/var_unserializer.re" +#line 536 "ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_NULL(*rval); return 1; } -#line 1199 "ext/standard/var_unserializer.c" +#line 1200 "ext/standard/var_unserializer.c" yy89: yych = *++YYCURSOR; if (yych <= ',') { @@ -1218,7 +1219,7 @@ yy91: if (yych <= '9') goto yy91; if (yych != ';') goto yy18; ++YYCURSOR; -#line 512 "ext/standard/var_unserializer.re" +#line 513 "ext/standard/var_unserializer.re" { long id; @@ -1241,7 +1242,7 @@ yy91: return 1; } -#line 1245 "ext/standard/var_unserializer.c" +#line 1246 "ext/standard/var_unserializer.c" yy95: yych = *++YYCURSOR; if (yych <= ',') { @@ -1264,7 +1265,7 @@ yy97: if (yych <= '9') goto yy97; if (yych != ';') goto yy18; ++YYCURSOR; -#line 491 "ext/standard/var_unserializer.re" +#line 492 "ext/standard/var_unserializer.re" { long id; @@ -1285,9 +1286,9 @@ yy97: return 1; } -#line 1289 "ext/standard/var_unserializer.c" +#line 1290 "ext/standard/var_unserializer.c" } -#line 840 "ext/standard/var_unserializer.re" +#line 841 "ext/standard/var_unserializer.re" return 0; diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index f04fc74c31..abac77ccea 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -353,6 +353,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof data, NULL); } + var_push_dtor(var_hash, &data); zval_dtor(key); FREE_ZVAL(key); -- 2.40.0