diff options
author | Stanislav Malyshev <stas@php.net> | 2015-08-01 21:45:19 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2015-08-01 22:01:40 -0700 |
commit | 7381b6accc5559b2de039af3a22f6ec1003b03b3 (patch) | |
tree | 3cb1369d20f970540c4160ef5a0f3bf906824adc | |
parent | c7d3c027d5ce45c96c8450a7f074ab2dfbcaa0c4 (diff) | |
download | php-git-7381b6accc5559b2de039af3a22f6ec1003b03b3.tar.gz |
Fixed bug #70166 - Use After Free Vulnerability in unserialize() with SPLArrayObject
-rw-r--r-- | ext/spl/spl_array.c | 3 | ||||
-rw-r--r-- | ext/spl/tests/bug70166.phpt | 29 |
2 files changed, 32 insertions, 0 deletions
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index a37eced002..86608c0d52 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -1777,6 +1777,7 @@ SPL_METHOD(Array, unserialize) goto outexcept; } + var_push_dtor(&var_hash, &pflags); --p; /* for ';' */ flags = Z_LVAL_P(pflags); /* flags needs to be verified and we also need to verify whether the next @@ -1800,6 +1801,7 @@ SPL_METHOD(Array, unserialize) if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) { goto outexcept; } + var_push_dtor(&var_hash, &intern->array); } if (*p != ';') { goto outexcept; @@ -1818,6 +1820,7 @@ SPL_METHOD(Array, unserialize) goto outexcept; } + var_push_dtor(&var_hash, &pmembers); /* copy members */ if (!intern->std.properties) { rebuild_object_properties(&intern->std); diff --git a/ext/spl/tests/bug70166.phpt b/ext/spl/tests/bug70166.phpt new file mode 100644 index 0000000000..51a35965a5 --- /dev/null +++ b/ext/spl/tests/bug70166.phpt @@ -0,0 +1,29 @@ +--TEST-- +SPL: Bug #70166 Use After Free Vulnerability in unserialize() with SPLArrayObject +--FILE-- +<?php +$inner = 'x:i:1;a:0:{};m:a:0:{}'; +$exploit = 'a:2:{i:0;C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}i:1;R:5;}'; + +$data = unserialize($exploit); + +for($i = 0; $i < 5; $i++) { + $v[$i] = 'hi'.$i; +} + +var_dump($data); +?> +===DONE=== +--EXPECTF-- +array(2) { + [0]=> + object(ArrayObject)#%d (1) { + ["storage":"ArrayObject":private]=> + array(0) { + } + } + [1]=> + array(0) { + } +} +===DONE=== |