diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-01-20 10:40:39 -0800 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2015-01-20 10:40:39 -0800 |
| commit | e18ec956873d1cc1fcd4647f4a218c25d0f80209 (patch) | |
| tree | 81879f4e11147b6e6876e4803a154cfdefd2ad12 | |
| parent | b5e2661fb6546e17e5f9a6982f052b2dce541860 (diff) | |
| parent | e2744c51b63d1e7c023f25927d3300d647bd97fe (diff) | |
| download | php-git-e18ec956873d1cc1fcd4647f4a218c25d0f80209.tar.gz | |
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5:
5.4.38 next
Fix bug #68799: Free called on unitialized pointer
Fix for bug #68710 (Use After Free Vulnerability in PHP's unserialize())
Conflicts:
ext/standard/var_unserializer.c
| -rw-r--r-- | ext/exif/exif.c | 2 | ||||
| -rw-r--r-- | ext/exif/tests/bug68799.jpg | bin | 0 -> 735 bytes | |||
| -rw-r--r-- | ext/exif/tests/bug68799.phpt | 63 | ||||
| -rw-r--r-- | ext/standard/tests/strings/bug68710.phpt | 25 | ||||
| -rw-r--r-- | ext/standard/var_unserializer.c | 2 | ||||
| -rw-r--r-- | ext/standard/var_unserializer.re | 2 |
6 files changed, 91 insertions, 3 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 824952ffdb..5504545b9b 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2692,7 +2692,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC) { xp_field->tag = tag; - + xp_field->value = NULL; /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( (unsigned char**)&xp_field->value, diff --git a/ext/exif/tests/bug68799.jpg b/ext/exif/tests/bug68799.jpg Binary files differnew file mode 100644 index 0000000000..acc326dbbf --- /dev/null +++ b/ext/exif/tests/bug68799.jpg diff --git a/ext/exif/tests/bug68799.phpt b/ext/exif/tests/bug68799.phpt new file mode 100644 index 0000000000..b09f21ca7b --- /dev/null +++ b/ext/exif/tests/bug68799.phpt @@ -0,0 +1,63 @@ +--TEST-- +Bug #68799 (Free called on unitialized pointer) +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +/* +* Pollute the heap. Helps trigger bug. Sometimes not needed. +*/ +class A { + function __construct() { + $a = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa'; + $this->a = $a . $a . $a . $a . $a . $a; + } +}; + +function doStuff ($limit) { + + $a = new A; + + $b = array(); + for ($i = 0; $i < $limit; $i++) { + $b[$i] = clone $a; + } + + unset($a); + + gc_collect_cycles(); +} + +$iterations = 3; + +doStuff($iterations); +doStuff($iterations); + +gc_collect_cycles(); + +print_r(exif_read_data(__DIR__.'/bug68799.jpg')); + +?> +--EXPECTF-- +Array +( + [FileName] => bug68799.jpg + [FileDateTime] => %d + [FileSize] => 735 + [FileType] => 2 + [MimeType] => image/jpeg + [SectionsFound] => ANY_TAG, IFD0, WINXP + [COMPUTED] => Array + ( + [html] => width="1" height="1" + [Height] => 1 + [Width] => 1 + [IsColor] => 1 + [ByteOrderMotorola] => 1 + ) + + [XResolution] => 96/1 + [YResolution] => 96/1 + [ResolutionUnit] => 2 + [Author] => +) diff --git a/ext/standard/tests/strings/bug68710.phpt b/ext/standard/tests/strings/bug68710.phpt new file mode 100644 index 0000000000..729a12011b --- /dev/null +++ b/ext/standard/tests/strings/bug68710.phpt @@ -0,0 +1,25 @@ +--TEST-- +Bug #68710 Use after free vulnerability in unserialize() (bypassing the +CVE-2014-8142 fix) +--FILE-- +<?php +for ($i=4; $i<100; $i++) { + $m = new StdClass(); + + $u = array(1); + + $m->aaa = array(1,2,&$u,4,5); + $m->bbb = 1; + $m->ccc = &$u; + $m->ddd = str_repeat("A", $i); + + $z = serialize($m); + $z = str_replace("aaa", "123", $z); + $z = str_replace("bbb", "123", $z); + $y = unserialize($z); + $z = serialize($y); +} +?> +===DONE=== +--EXPECTF-- +===DONE=== diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index a45b8d2274..222e704211 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -342,7 +342,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long } else { /* object properties should include no integers */ convert_to_string(key); - if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { var_push_dtor(var_hash, old_data); } zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index 5ffd959198..018c51355b 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -346,7 +346,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long } else { /* object properties should include no integers */ convert_to_string(key); - if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { var_push_dtor(var_hash, old_data); } zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, |
