summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2014-12-16 10:19:32 -0800
committerFerenc Kovacs <tyrael@php.net>2014-12-17 02:25:00 +0100
commitc37265eacdd0186cb3b0bfeb0e0104c8563807ef (patch)
tree82ebc9952ec93c3046d7b99c9fd0e9673dddb8f2
parentfe1ab0e566dccf794483d0dfab7f06e6c095b1a2 (diff)
downloadphp-git-PHP-5.6.4.tar.gz
Merge branch 'PHP-5.5' into PHP-5.6php-5.6.4PHP-5.6.4
* PHP-5.5: update news add CVE add missing test file Fix bug #68594 - Use after free vulnerability in unserialize() Conflicts: ext/standard/var_unserializer.c
-rw-r--r--ext/standard/tests/serialize/bug68594.phpt23
-rw-r--r--ext/standard/var_unserializer.c68
-rw-r--r--ext/standard/var_unserializer.re3
3 files changed, 62 insertions, 32 deletions
diff --git a/ext/standard/tests/serialize/bug68594.phpt b/ext/standard/tests/serialize/bug68594.phpt
new file mode 100644
index 0000000000..60fc7a76ab
--- /dev/null
+++ b/ext/standard/tests/serialize/bug68594.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #68545 Use after free vulnerability in unserialize()
+--FILE--
+<?php
+for ($i=4; $i<100; $i++) {
+ $m = new StdClass();
+
+ $u = array(1);
+
+ $m->aaa = array(1,2,&$u,4,5);
+ $m->bbb = 1;
+ $m->ccc = &$u;
+ $m->ddd = str_repeat("A", $i);
+
+ $z = serialize($m);
+ $z = str_replace("bbb", "aaa", $z);
+ $y = unserialize($z);
+ $z = serialize($y);
+}
+?>
+===DONE===
+--EXPECTF--
+===DONE===
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index 88ba7e5fb8..d9bf586534 100644
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -1,4 +1,4 @@
-/* Generated by re2c 0.13.5 */
+/* Generated by re2c 0.13.7.5 */
#line 1 "ext/standard/var_unserializer.re"
/*
+----------------------------------------------------------------------+
@@ -342,6 +342,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
} else {
/* object properties should include no integers */
convert_to_string(key);
+ if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+ var_push_dtor(var_hash, old_data);
+ }
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
sizeof data, NULL);
}
@@ -475,7 +478,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
-#line 479 "ext/standard/var_unserializer.c"
+#line 482 "ext/standard/var_unserializer.c"
{
YYCTYPE yych;
static const unsigned char yybm[] = {
@@ -535,9 +538,9 @@ yy2:
yych = *(YYMARKER = ++YYCURSOR);
if (yych == ':') goto yy95;
yy3:
-#line 830 "ext/standard/var_unserializer.re"
+#line 833 "ext/standard/var_unserializer.re"
{ return 0; }
-#line 541 "ext/standard/var_unserializer.c"
+#line 544 "ext/standard/var_unserializer.c"
yy4:
yych = *(YYMARKER = ++YYCURSOR);
if (yych == ':') goto yy89;
@@ -580,13 +583,13 @@ yy13:
goto yy3;
yy14:
++YYCURSOR;
-#line 824 "ext/standard/var_unserializer.re"
+#line 827 "ext/standard/var_unserializer.re"
{
/* this is the case where we have less data than planned */
php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
return 0; /* not sure if it should be 0 or 1 here? */
}
-#line 590 "ext/standard/var_unserializer.c"
+#line 593 "ext/standard/var_unserializer.c"
yy16:
yych = *++YYCURSOR;
goto yy3;
@@ -612,11 +615,12 @@ yy20:
if (yybm[0+yych] & 128) {
goto yy20;
}
- if (yych != ':') goto yy18;
+ if (yych <= '/') goto yy18;
+ if (yych >= ';') goto yy18;
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 678 "ext/standard/var_unserializer.re"
+#line 681 "ext/standard/var_unserializer.re"
{
size_t len, len2, len3, maxlen;
long elements;
@@ -762,7 +766,7 @@ yy20:
return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
-#line 766 "ext/standard/var_unserializer.c"
+#line 770 "ext/standard/var_unserializer.c"
yy25:
yych = *++YYCURSOR;
if (yych <= ',') {
@@ -787,7 +791,7 @@ yy27:
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 670 "ext/standard/var_unserializer.re"
+#line 673 "ext/standard/var_unserializer.re"
{
INIT_PZVAL(*rval);
@@ -795,7 +799,7 @@ yy27:
return object_common2(UNSERIALIZE_PASSTHRU,
object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
}
-#line 799 "ext/standard/var_unserializer.c"
+#line 803 "ext/standard/var_unserializer.c"
yy32:
yych = *++YYCURSOR;
if (yych == '+') goto yy33;
@@ -816,7 +820,7 @@ yy34:
yych = *++YYCURSOR;
if (yych != '{') goto yy18;
++YYCURSOR;
-#line 650 "ext/standard/var_unserializer.re"
+#line 653 "ext/standard/var_unserializer.re"
{
long elements = parse_iv(start + 2);
/* use iv() not uiv() in order to check data range */
@@ -836,7 +840,7 @@ yy34:
return finish_nested_data(UNSERIALIZE_PASSTHRU);
}
-#line 840 "ext/standard/var_unserializer.c"
+#line 844 "ext/standard/var_unserializer.c"
yy39:
yych = *++YYCURSOR;
if (yych == '+') goto yy40;
@@ -857,7 +861,7 @@ yy41:
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 621 "ext/standard/var_unserializer.re"
+#line 624 "ext/standard/var_unserializer.re"
{
size_t len, maxlen;
char *str;
@@ -886,7 +890,7 @@ yy41:
ZVAL_STRINGL(*rval, str, len, 0);
return 1;
}
-#line 890 "ext/standard/var_unserializer.c"
+#line 894 "ext/standard/var_unserializer.c"
yy46:
yych = *++YYCURSOR;
if (yych == '+') goto yy47;
@@ -907,7 +911,7 @@ yy48:
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
-#line 593 "ext/standard/var_unserializer.re"
+#line 596 "ext/standard/var_unserializer.re"
{
size_t len, maxlen;
char *str;
@@ -935,7 +939,7 @@ yy48:
ZVAL_STRINGL(*rval, str, len, 1);
return 1;
}
-#line 939 "ext/standard/var_unserializer.c"
+#line 943 "ext/standard/var_unserializer.c"
yy53:
yych = *++YYCURSOR;
if (yych <= '/') {
@@ -1023,7 +1027,7 @@ yy61:
}
yy63:
++YYCURSOR;
-#line 583 "ext/standard/var_unserializer.re"
+#line 586 "ext/standard/var_unserializer.re"
{
#if SIZEOF_LONG == 4
use_double:
@@ -1033,7 +1037,7 @@ use_double:
ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
return 1;
}
-#line 1037 "ext/standard/var_unserializer.c"
+#line 1041 "ext/standard/var_unserializer.c"
yy65:
yych = *++YYCURSOR;
if (yych <= ',') {
@@ -1092,7 +1096,7 @@ yy73:
yych = *++YYCURSOR;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 568 "ext/standard/var_unserializer.re"
+#line 571 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
@@ -1107,7 +1111,7 @@ yy73:
return 1;
}
-#line 1111 "ext/standard/var_unserializer.c"
+#line 1115 "ext/standard/var_unserializer.c"
yy76:
yych = *++YYCURSOR;
if (yych == 'N') goto yy73;
@@ -1134,7 +1138,7 @@ yy79:
if (yych <= '9') goto yy79;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 541 "ext/standard/var_unserializer.re"
+#line 544 "ext/standard/var_unserializer.re"
{
#if SIZEOF_LONG == 4
int digits = YYCURSOR - start - 3;
@@ -1161,7 +1165,7 @@ yy79:
ZVAL_LONG(*rval, parse_iv(start + 2));
return 1;
}
-#line 1165 "ext/standard/var_unserializer.c"
+#line 1169 "ext/standard/var_unserializer.c"
yy83:
yych = *++YYCURSOR;
if (yych <= '/') goto yy18;
@@ -1169,24 +1173,24 @@ yy83:
yych = *++YYCURSOR;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 534 "ext/standard/var_unserializer.re"
+#line 537 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
ZVAL_BOOL(*rval, parse_iv(start + 2));
return 1;
}
-#line 1180 "ext/standard/var_unserializer.c"
+#line 1184 "ext/standard/var_unserializer.c"
yy87:
++YYCURSOR;
-#line 527 "ext/standard/var_unserializer.re"
+#line 530 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
ZVAL_NULL(*rval);
return 1;
}
-#line 1190 "ext/standard/var_unserializer.c"
+#line 1194 "ext/standard/var_unserializer.c"
yy89:
yych = *++YYCURSOR;
if (yych <= ',') {
@@ -1209,7 +1213,7 @@ yy91:
if (yych <= '9') goto yy91;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 504 "ext/standard/var_unserializer.re"
+#line 507 "ext/standard/var_unserializer.re"
{
long id;
@@ -1232,7 +1236,7 @@ yy91:
return 1;
}
-#line 1236 "ext/standard/var_unserializer.c"
+#line 1240 "ext/standard/var_unserializer.c"
yy95:
yych = *++YYCURSOR;
if (yych <= ',') {
@@ -1255,7 +1259,7 @@ yy97:
if (yych <= '9') goto yy97;
if (yych != ';') goto yy18;
++YYCURSOR;
-#line 483 "ext/standard/var_unserializer.re"
+#line 486 "ext/standard/var_unserializer.re"
{
long id;
@@ -1276,9 +1280,9 @@ yy97:
return 1;
}
-#line 1280 "ext/standard/var_unserializer.c"
+#line 1284 "ext/standard/var_unserializer.c"
}
-#line 832 "ext/standard/var_unserializer.re"
+#line 835 "ext/standard/var_unserializer.re"
return 0;
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 5d9d83b677..387ba6aea7 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -346,6 +346,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
} else {
/* object properties should include no integers */
convert_to_string(key);
+ if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+ var_push_dtor(var_hash, old_data);
+ }
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
sizeof data, NULL);
}