diff options
| author | Nikita Popov <nikic@php.net> | 2017-01-16 14:12:10 +0100 |
|---|---|---|
| committer | Nikita Popov <nikic@php.net> | 2017-01-16 14:12:10 +0100 |
| commit | 590ef15f6a492c7edddf8e76abdb608424f39fc3 (patch) | |
| tree | 71d4dc994c9f43eb32e77fcbfe0024a3a22574ff | |
| parent | 34d6b63501d7107be6a46d0dee1139e11a3b8f7e (diff) | |
| parent | e0ca519a8ba9afa1cb7531187050e599af4d7d90 (diff) | |
| download | php-git-590ef15f6a492c7edddf8e76abdb608424f39fc3.tar.gz | |
Merge branch 'PHP-7.0' into PHP-7.1
| -rw-r--r-- | ext/standard/tests/serialize/bug69425.phpt | 63 | ||||
| -rw-r--r-- | ext/standard/tests/serialize/bug70513.phpt | 39 | ||||
| -rw-r--r-- | ext/standard/tests/serialize/bug72731.phpt | 18 |
3 files changed, 120 insertions, 0 deletions
diff --git a/ext/standard/tests/serialize/bug69425.phpt b/ext/standard/tests/serialize/bug69425.phpt new file mode 100644 index 0000000000..bfa8b9b369 --- /dev/null +++ b/ext/standard/tests/serialize/bug69425.phpt @@ -0,0 +1,63 @@ +--TEST-- +Bug #69425: Use After Free in unserialize() +--FILE-- +<?php + +// POC 1 +class test +{ + var $ryat; + + function __wakeup() + { + $this->ryat = 1; + } +} + +$data = unserialize('a:2:{i:0;O:4:"test":1:{s:4:"ryat";R:1;}i:1;i:2;}'); +var_dump($data); + +// POC 2 +$data = unserialize('a:2:{i:0;O:12:"DateInterval":1:{s:1:"y";R:1;}i:1;i:2;}'); +var_dump($data); + +?> +--EXPECT-- +int(1) +array(2) { + [0]=> + object(DateInterval)#1 (15) { + ["y"]=> + int(-1) + ["m"]=> + int(-1) + ["d"]=> + int(-1) + ["h"]=> + int(-1) + ["i"]=> + int(-1) + ["s"]=> + int(-1) + ["weekday"]=> + int(-1) + ["weekday_behavior"]=> + int(-1) + ["first_last_day_of"]=> + int(-1) + ["invert"]=> + int(0) + ["days"]=> + int(-1) + ["special_type"]=> + int(0) + ["special_amount"]=> + int(-1) + ["have_weekday_relative"]=> + int(0) + ["have_special_relative"]=> + int(0) + } + [1]=> + int(2) +} diff --git a/ext/standard/tests/serialize/bug70513.phpt b/ext/standard/tests/serialize/bug70513.phpt new file mode 100644 index 0000000000..2ac4ef6626 --- /dev/null +++ b/ext/standard/tests/serialize/bug70513.phpt @@ -0,0 +1,39 @@ +--TEST-- +Bug #70513: GMP Deserialization Type Confusion Vulnerability +--SKIPIF-- +<?php if (!extension_loaded('gmp')) die('skip requires gmp'); +--FILE-- +<?php + +class obj +{ + var $ryat; + + function __wakeup() + { + $this->ryat = 1; + } +} + +$obj = new stdClass; +$obj->aa = 1; +$obj->bb = 2; + +$inner = 's:1:"1";a:3:{s:2:"aa";s:2:"hi";s:2:"bb";s:2:"hi";i:0;O:3:"obj":1:{s:4:"ryat";R:2;}}'; +$exploit = 'a:1:{i:0;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}'; +$x = unserialize($exploit); +var_dump($x); +var_dump($obj); + +?> +--EXPECT-- +array(1) { + [0]=> + int(1) +} +object(stdClass)#1 (2) { + ["aa"]=> + int(1) + ["bb"]=> + int(2) +} diff --git a/ext/standard/tests/serialize/bug72731.phpt b/ext/standard/tests/serialize/bug72731.phpt new file mode 100644 index 0000000000..3d7d1e7af3 --- /dev/null +++ b/ext/standard/tests/serialize/bug72731.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #72731: Type Confusion in Object Deserialization +--FILE-- +<?php + +class obj { + var $ryat; + function __wakeup() { + $this->ryat = 0x1122334455; + } +} + +$poc = 'O:8:"stdClass":1:{i:0;O:3:"obj":1:{s:4:"ryat";R:1;}}'; +var_dump(unserialize($poc)); + +?> +--EXPECT-- +int(73588229205) |