Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)

2 files changed, 43 insertions, 12 deletions

diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
index b5ddfc0f59..011d7a6e3c 100644
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -500,7 +500,7 @@ static int spl_dllist_object_count_elements(zval *object, long *count TSRMLS_DC)
 
 	*count = spl_ptr_llist_count(intern->llist);
 	return SUCCESS;
-} 
+}
 /* }}} */
 
 static HashTable* spl_dllist_object_get_debug_info(zval *obj, int *is_temp TSRMLS_DC) /* {{{{ */
@@ -571,7 +571,7 @@ SPL_METHOD(SplDoublyLinkedList, push)
 	spl_ptr_llist_push(intern->llist, value TSRMLS_CC);
 
 	RETURN_TRUE;
-} 
+}
 /* }}} */
 
 /* {{{ proto bool SplDoublyLinkedList::unshift(mixed $value) U
@@ -614,7 +614,7 @@ SPL_METHOD(SplDoublyLinkedList, pop)
 	}
 
 	RETURN_ZVAL(value, 1, 1);
-} 
+}
 /* }}} */
 
 /* {{{ proto mixed SplDoublyLinkedList::shift() U
@@ -637,7 +637,7 @@ SPL_METHOD(SplDoublyLinkedList, shift)
 	}
 
 	RETURN_ZVAL(value, 1, 1);
-} 
+}
 /* }}} */
 
 /* {{{ proto mixed SplDoublyLinkedList::top() U
@@ -1051,7 +1051,7 @@ static void spl_dllist_it_move_forward(zend_object_iterator *iter TSRMLS_DC) /*
 SPL_METHOD(SplDoublyLinkedList, key)
 {
 	spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -1065,7 +1065,7 @@ SPL_METHOD(SplDoublyLinkedList, key)
 SPL_METHOD(SplDoublyLinkedList, prev)
 {
 	spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -1079,7 +1079,7 @@ SPL_METHOD(SplDoublyLinkedList, prev)
 SPL_METHOD(SplDoublyLinkedList, next)
 {
 	spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -1093,7 +1093,7 @@ SPL_METHOD(SplDoublyLinkedList, next)
 SPL_METHOD(SplDoublyLinkedList, valid)
 {
 	spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -1107,7 +1107,7 @@ SPL_METHOD(SplDoublyLinkedList, valid)
 SPL_METHOD(SplDoublyLinkedList, rewind)
 {
 	spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -1122,7 +1122,7 @@ SPL_METHOD(SplDoublyLinkedList, current)
 {
 	spl_dllist_object     *intern  = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
 	spl_ptr_llist_element *element = intern->traverse_pointer;
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -1177,7 +1177,7 @@ SPL_METHOD(SplDoublyLinkedList, serialize)
 	} else {
 		RETURN_NULL();
 	}
-	
+
 } /* }}} */
 
 /* {{{ proto void SplDoublyLinkedList::unserialize(string serialized)
@@ -1190,7 +1190,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
 	int buf_len;
 	const unsigned char *p, *s;
 	php_unserialize_data_t var_hash;
-	
+
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
 		return;
 	}
@@ -1209,6 +1209,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
 		zval_ptr_dtor(&flags);
 		goto error;
 	}
+	var_push_dtor(&var_hash, &flags);
 	intern->flags = Z_LVAL_P(flags);
 	zval_ptr_dtor(&flags);
 
diff --git a/ext/spl/tests/bug70169.phpt b/ext/spl/tests/bug70169.phpt
new file mode 100644
index 0000000000..9d814be5fa
--- /dev/null
+++ b/ext/spl/tests/bug70169.phpt
@@ -0,0 +1,30 @@
+--TEST--
+SPL: Bug #70169	Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
+--FILE--
+<?php
+$inner = 'i:1;';
+$exploit = 'a:2:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';
+
+$data = unserialize($exploit);
+
+for($i = 0; $i < 5; $i++) {
+    $v[$i] = 'hi'.$i;
+}
+
+var_dump($data);
+?>
+===DONE===
+--EXPECTF--
+array(2) {
+  [0]=>
+  object(SplDoublyLinkedList)#%d (2) {
+    ["flags":"SplDoublyLinkedList":private]=>
+    int(1)
+    ["dllist":"SplDoublyLinkedList":private]=>
+    array(0) {
+    }
+  }
+  [1]=>
+  int(1)
+}
+===DONE===