diff options
author | Stanislav Malyshev <stas@php.net> | 2014-09-28 14:19:31 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2014-10-13 23:14:25 -0700 |
commit | 56754a7f9eba0e4f559b6ca081d9f2a447b3f159 (patch) | |
tree | 6ae44808f3a54c734cd9aaf94c668e3ed7789fa9 | |
parent | 88412772d295ebf7dd34409534507dc9bcac726e (diff) | |
download | php-git-56754a7f9eba0e4f559b6ca081d9f2a447b3f159.tar.gz |
Fixed bug #68044: Integer overflow in unserialize() (32-bits only)
-rw-r--r-- | NEWS | 5 | ||||
-rw-r--r-- | ext/standard/tests/serialize/bug68044.phpt | 12 | ||||
-rw-r--r-- | ext/standard/var_unserializer.c | 4 | ||||
-rw-r--r-- | ext/standard/var_unserializer.re | 2 |
4 files changed, 19 insertions, 4 deletions
@@ -8,12 +8,15 @@ PHP NEWS - Core: . Fixed bug #67985 (Incorrect last used array index copied to new array after unset). (Tjerk) + . Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). + (CVE-2014-3669) (Stas) - OpenSSL: . Reverted fixes for bug #41631, due to regressions. (Stas) - XMLRPC: - . Fixed bug #68027 (Global buffer overflow in mkgmtime() function). (Stas) + . Fixed bug #68027 (Global buffer overflow in mkgmtime() function). + (CVE-2014-3668) (Stas) 18 Sep 2014, PHP 5.4.33 diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt new file mode 100644 index 0000000000..031e44e149 --- /dev/null +++ b/ext/standard/tests/serialize/bug68044.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #68044 Integer overflow in unserialize() (32-bits only) +--FILE-- +<?php + echo unserialize('C:3:"XYZ":18446744075857035259:{}'); +?> +===DONE== +--EXPECTF-- +Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2 + +Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2 +===DONE== diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index 657051f6f7..8129da3d82 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -1,4 +1,4 @@ -/* Generated by re2c 0.13.5 on Sat Jun 21 21:27:56 2014 */ +/* Generated by re2c 0.13.5 */ #line 1 "ext/standard/var_unserializer.re" /* +----------------------------------------------------------------------+ @@ -372,7 +372,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) (*p) += 2; - if (datalen < 0 || (*p) + datalen >= max) { + if (datalen < 0 || (max - (*p)) <= datalen) { zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); return 0; } diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index 130750805f..6de158392e 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -376,7 +376,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) (*p) += 2; - if (datalen < 0 || (*p) + datalen >= max) { + if (datalen < 0 || (max - (*p)) <= datalen) { zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); return 0; } |