diff options
author | Stanislav Malyshev <stas@php.net> | 2014-12-16 10:19:32 -0800 |
---|---|---|
committer | Ferenc Kovacs <tyrael@php.net> | 2014-12-17 02:25:00 +0100 |
commit | c37265eacdd0186cb3b0bfeb0e0104c8563807ef (patch) | |
tree | 82ebc9952ec93c3046d7b99c9fd0e9673dddb8f2 | |
parent | fe1ab0e566dccf794483d0dfab7f06e6c095b1a2 (diff) | |
download | php-git-PHP-5.6.4.tar.gz |
* PHP-5.5:
update news
add CVE
add missing test file
Fix bug #68594 - Use after free vulnerability in unserialize()
Conflicts:
ext/standard/var_unserializer.c
-rw-r--r-- | ext/standard/tests/serialize/bug68594.phpt | 23 | ||||
-rw-r--r-- | ext/standard/var_unserializer.c | 68 | ||||
-rw-r--r-- | ext/standard/var_unserializer.re | 3 |
3 files changed, 62 insertions, 32 deletions
diff --git a/ext/standard/tests/serialize/bug68594.phpt b/ext/standard/tests/serialize/bug68594.phpt new file mode 100644 index 0000000000..60fc7a76ab --- /dev/null +++ b/ext/standard/tests/serialize/bug68594.phpt @@ -0,0 +1,23 @@ +--TEST-- +Bug #68545 Use after free vulnerability in unserialize() +--FILE-- +<?php +for ($i=4; $i<100; $i++) { + $m = new StdClass(); + + $u = array(1); + + $m->aaa = array(1,2,&$u,4,5); + $m->bbb = 1; + $m->ccc = &$u; + $m->ddd = str_repeat("A", $i); + + $z = serialize($m); + $z = str_replace("bbb", "aaa", $z); + $y = unserialize($z); + $z = serialize($y); +} +?> +===DONE=== +--EXPECTF-- +===DONE=== diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index 88ba7e5fb8..d9bf586534 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -1,4 +1,4 @@ -/* Generated by re2c 0.13.5 */ +/* Generated by re2c 0.13.7.5 */ #line 1 "ext/standard/var_unserializer.re" /* +----------------------------------------------------------------------+ @@ -342,6 +342,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long } else { /* object properties should include no integers */ convert_to_string(key); + if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + var_push_dtor(var_hash, old_data); + } zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof data, NULL); } @@ -475,7 +478,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER) -#line 479 "ext/standard/var_unserializer.c" +#line 482 "ext/standard/var_unserializer.c" { YYCTYPE yych; static const unsigned char yybm[] = { @@ -535,9 +538,9 @@ yy2: yych = *(YYMARKER = ++YYCURSOR); if (yych == ':') goto yy95; yy3: -#line 830 "ext/standard/var_unserializer.re" +#line 833 "ext/standard/var_unserializer.re" { return 0; } -#line 541 "ext/standard/var_unserializer.c" +#line 544 "ext/standard/var_unserializer.c" yy4: yych = *(YYMARKER = ++YYCURSOR); if (yych == ':') goto yy89; @@ -580,13 +583,13 @@ yy13: goto yy3; yy14: ++YYCURSOR; -#line 824 "ext/standard/var_unserializer.re" +#line 827 "ext/standard/var_unserializer.re" { /* this is the case where we have less data than planned */ php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data"); return 0; /* not sure if it should be 0 or 1 here? */ } -#line 590 "ext/standard/var_unserializer.c" +#line 593 "ext/standard/var_unserializer.c" yy16: yych = *++YYCURSOR; goto yy3; @@ -612,11 +615,12 @@ yy20: if (yybm[0+yych] & 128) { goto yy20; } - if (yych != ':') goto yy18; + if (yych <= '/') goto yy18; + if (yych >= ';') goto yy18; yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 678 "ext/standard/var_unserializer.re" +#line 681 "ext/standard/var_unserializer.re" { size_t len, len2, len3, maxlen; long elements; @@ -762,7 +766,7 @@ yy20: return object_common2(UNSERIALIZE_PASSTHRU, elements); } -#line 766 "ext/standard/var_unserializer.c" +#line 770 "ext/standard/var_unserializer.c" yy25: yych = *++YYCURSOR; if (yych <= ',') { @@ -787,7 +791,7 @@ yy27: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 670 "ext/standard/var_unserializer.re" +#line 673 "ext/standard/var_unserializer.re" { INIT_PZVAL(*rval); @@ -795,7 +799,7 @@ yy27: return object_common2(UNSERIALIZE_PASSTHRU, object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR)); } -#line 799 "ext/standard/var_unserializer.c" +#line 803 "ext/standard/var_unserializer.c" yy32: yych = *++YYCURSOR; if (yych == '+') goto yy33; @@ -816,7 +820,7 @@ yy34: yych = *++YYCURSOR; if (yych != '{') goto yy18; ++YYCURSOR; -#line 650 "ext/standard/var_unserializer.re" +#line 653 "ext/standard/var_unserializer.re" { long elements = parse_iv(start + 2); /* use iv() not uiv() in order to check data range */ @@ -836,7 +840,7 @@ yy34: return finish_nested_data(UNSERIALIZE_PASSTHRU); } -#line 840 "ext/standard/var_unserializer.c" +#line 844 "ext/standard/var_unserializer.c" yy39: yych = *++YYCURSOR; if (yych == '+') goto yy40; @@ -857,7 +861,7 @@ yy41: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 621 "ext/standard/var_unserializer.re" +#line 624 "ext/standard/var_unserializer.re" { size_t len, maxlen; char *str; @@ -886,7 +890,7 @@ yy41: ZVAL_STRINGL(*rval, str, len, 0); return 1; } -#line 890 "ext/standard/var_unserializer.c" +#line 894 "ext/standard/var_unserializer.c" yy46: yych = *++YYCURSOR; if (yych == '+') goto yy47; @@ -907,7 +911,7 @@ yy48: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 593 "ext/standard/var_unserializer.re" +#line 596 "ext/standard/var_unserializer.re" { size_t len, maxlen; char *str; @@ -935,7 +939,7 @@ yy48: ZVAL_STRINGL(*rval, str, len, 1); return 1; } -#line 939 "ext/standard/var_unserializer.c" +#line 943 "ext/standard/var_unserializer.c" yy53: yych = *++YYCURSOR; if (yych <= '/') { @@ -1023,7 +1027,7 @@ yy61: } yy63: ++YYCURSOR; -#line 583 "ext/standard/var_unserializer.re" +#line 586 "ext/standard/var_unserializer.re" { #if SIZEOF_LONG == 4 use_double: @@ -1033,7 +1037,7 @@ use_double: ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL)); return 1; } -#line 1037 "ext/standard/var_unserializer.c" +#line 1041 "ext/standard/var_unserializer.c" yy65: yych = *++YYCURSOR; if (yych <= ',') { @@ -1092,7 +1096,7 @@ yy73: yych = *++YYCURSOR; if (yych != ';') goto yy18; ++YYCURSOR; -#line 568 "ext/standard/var_unserializer.re" +#line 571 "ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); @@ -1107,7 +1111,7 @@ yy73: return 1; } -#line 1111 "ext/standard/var_unserializer.c" +#line 1115 "ext/standard/var_unserializer.c" yy76: yych = *++YYCURSOR; if (yych == 'N') goto yy73; @@ -1134,7 +1138,7 @@ yy79: if (yych <= '9') goto yy79; if (yych != ';') goto yy18; ++YYCURSOR; -#line 541 "ext/standard/var_unserializer.re" +#line 544 "ext/standard/var_unserializer.re" { #if SIZEOF_LONG == 4 int digits = YYCURSOR - start - 3; @@ -1161,7 +1165,7 @@ yy79: ZVAL_LONG(*rval, parse_iv(start + 2)); return 1; } -#line 1165 "ext/standard/var_unserializer.c" +#line 1169 "ext/standard/var_unserializer.c" yy83: yych = *++YYCURSOR; if (yych <= '/') goto yy18; @@ -1169,24 +1173,24 @@ yy83: yych = *++YYCURSOR; if (yych != ';') goto yy18; ++YYCURSOR; -#line 534 "ext/standard/var_unserializer.re" +#line 537 "ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_BOOL(*rval, parse_iv(start + 2)); return 1; } -#line 1180 "ext/standard/var_unserializer.c" +#line 1184 "ext/standard/var_unserializer.c" yy87: ++YYCURSOR; -#line 527 "ext/standard/var_unserializer.re" +#line 530 "ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_NULL(*rval); return 1; } -#line 1190 "ext/standard/var_unserializer.c" +#line 1194 "ext/standard/var_unserializer.c" yy89: yych = *++YYCURSOR; if (yych <= ',') { @@ -1209,7 +1213,7 @@ yy91: if (yych <= '9') goto yy91; if (yych != ';') goto yy18; ++YYCURSOR; -#line 504 "ext/standard/var_unserializer.re" +#line 507 "ext/standard/var_unserializer.re" { long id; @@ -1232,7 +1236,7 @@ yy91: return 1; } -#line 1236 "ext/standard/var_unserializer.c" +#line 1240 "ext/standard/var_unserializer.c" yy95: yych = *++YYCURSOR; if (yych <= ',') { @@ -1255,7 +1259,7 @@ yy97: if (yych <= '9') goto yy97; if (yych != ';') goto yy18; ++YYCURSOR; -#line 483 "ext/standard/var_unserializer.re" +#line 486 "ext/standard/var_unserializer.re" { long id; @@ -1276,9 +1280,9 @@ yy97: return 1; } -#line 1280 "ext/standard/var_unserializer.c" +#line 1284 "ext/standard/var_unserializer.c" } -#line 832 "ext/standard/var_unserializer.re" +#line 835 "ext/standard/var_unserializer.re" return 0; diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index 5d9d83b677..387ba6aea7 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -346,6 +346,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long } else { /* object properties should include no integers */ convert_to_string(key); + if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + var_push_dtor(var_hash, old_data); + } zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof data, NULL); } |