diff options
| author | Michael Wallner <mike@php.net> | 2011-12-02 11:50:22 +0000 |
|---|---|---|
| committer | Michael Wallner <mike@php.net> | 2011-12-02 11:50:22 +0000 |
| commit | d8ca919da19cd547bb6af90cd3909603609aa348 (patch) | |
| tree | f33cdcb4df0465da7295242d3d4d35cfc0349689 | |
| parent | a2d189883fe7cbf82f094868bb467283c74fd2d2 (diff) | |
| download | php-git-d8ca919da19cd547bb6af90cd3909603609aa348.tar.gz | |
Fixed bug #60240 (invalid read/writes when unserializing specially crafted strings)
| -rw-r--r-- | NEWS | 2 | ||||
| -rwxr-xr-x | ext/spl/spl_observer.c | 9 | ||||
| -rw-r--r-- | ext/spl/tests/SplObjectStorage_unserialize_bad.phpt | 4 |
3 files changed, 10 insertions, 5 deletions
@@ -4,6 +4,8 @@ PHP NEWS - Core: . Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e). (php at mickweiss dot com) + . Fixed bug #60240 (invalid read/writes when unserializing specially crafted + strings). (Mike) - CLI SAPI: . Implement FR #60390 (Missing $_SERVER['SERVER_PORT']). (Pierre) diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c index 2487a08a3c..419e2dd6f9 100755 --- a/ext/spl/spl_observer.c +++ b/ext/spl/spl_observer.c @@ -836,13 +836,11 @@ SPL_METHOD(SplObjectStorage, unserialize) ALLOC_INIT_ZVAL(pcount); if (!php_var_unserialize(&pcount, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pcount) != IS_LONG) { - zval_ptr_dtor(&pcount); goto outexcept; } --p; /* for ';' */ count = Z_LVAL_P(pcount); - zval_ptr_dtor(&pcount); while(count-- > 0) { spl_SplObjectStorageElement *pelement; @@ -920,11 +918,16 @@ SPL_METHOD(SplObjectStorage, unserialize) zval_ptr_dtor(&pmembers); /* done reading $serialized */ - + if (pcount) { + zval_ptr_dtor(&pcount); + } PHP_VAR_UNSERIALIZE_DESTROY(var_hash); return; outexcept: + if (pcount) { + zval_ptr_dtor(&pcount); + } PHP_VAR_UNSERIALIZE_DESTROY(var_hash); zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len); return; diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt index 00cd67ba9b..a525317093 100644 --- a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt +++ b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt @@ -5,8 +5,8 @@ SPL: Test that serialized blob contains unique elements (CVE-2010-2225) $badblobs = array( 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}', -'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', -'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', +'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', +'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', ); foreach($badblobs as $blob) { try { |