diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-01-31 22:40:08 -0800 |
|---|---|---|
| committer | Julien Pauli <jpauli@php.net> | 2015-02-18 11:31:26 +0100 |
| commit | 51cd5a1d09ce3dd3027eace601661a2bc5745851 (patch) | |
| tree | 695ec86967c14f1e950ad8f667002ff5d73fd91b | |
| parent | 3b9315f28c56bf407fc9e895e597511c16a6febe (diff) | |
| download | php-git-51cd5a1d09ce3dd3027eace601661a2bc5745851.tar.gz | |
Fix bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone)
Conflicts:
ext/date/php_date.c
| -rw-r--r-- | ext/date/php_date.c | 10 | ||||
| -rw-r--r-- | ext/date/tests/bug68942_2.phpt | 9 |
2 files changed, 12 insertions, 7 deletions
diff --git a/ext/date/php_date.c b/ext/date/php_date.c index 58e23c0bb5..dab29d21f4 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -2779,12 +2779,9 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht timelib_tzinfo *tzi; php_timezone_obj *tzobj; - if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) { - convert_to_string(*z_date); - if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { - convert_to_long(*z_timezone_type); - if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { - convert_to_string(*z_timezone); + if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) { + if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) { + if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) { switch (Z_LVAL_PP(z_timezone_type)) { case TIMELIB_ZONETYPE_OFFSET: @@ -2799,7 +2796,6 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht case TIMELIB_ZONETYPE_ID: { int ret; - convert_to_string(*z_timezone); tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC); diff --git a/ext/date/tests/bug68942_2.phpt b/ext/date/tests/bug68942_2.phpt new file mode 100644 index 0000000000..5b02567008 --- /dev/null +++ b/ext/date/tests/bug68942_2.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #68942 (Use after free vulnerability in unserialize() with DateTime). +--FILE-- +<?php +$data = unserialize('a:2:{i:0;O:8:"DateTime":3:{s:4:"date";s:26:"2000-01-01 00:00:00.000000";s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:5;}'); +var_dump($data); +?> +--EXPECTF-- +Fatal error: Invalid serialization data for DateTime object in %s/bug68942_2.php on line %d |