summaryrefslogtreecommitdiff
path: root/ext/curl
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2016-09-25 19:53:59 -0700
committerStanislav Malyshev <stas@php.net>2016-09-25 19:53:59 -0700
commit0e6fe3a4c96be2d3e88389a5776f878021b4c59f (patch)
treeb731bd6b607066d09b93bd548382f8fadc08a4c9 /ext/curl
parente1709b7e588cbda71c577f6e5b701713d0c70a23 (diff)
downloadphp-git-0e6fe3a4c96be2d3e88389a5776f878021b4c59f.tar.gz
Fix bug #73147: Use After Free in PHP7 unserialize()
Diffstat (limited to 'ext/curl')
-rw-r--r--ext/curl/curl_file.c5
-rw-r--r--ext/curl/tests/bug73147.phpt20
2 files changed, 24 insertions, 1 deletions
diff --git a/ext/curl/curl_file.c b/ext/curl/curl_file.c
index 56c1bbe68b..029a58a914 100644
--- a/ext/curl/curl_file.c
+++ b/ext/curl/curl_file.c
@@ -137,7 +137,10 @@ ZEND_METHOD(CURLFile, setPostFilename)
Unserialization handler */
ZEND_METHOD(CURLFile, __wakeup)
{
- zend_update_property_string(curl_CURLFile_class, getThis(), "name", sizeof("name")-1, "" TSRMLS_CC);
+ zval *_this = getThis();
+
+ zend_unset_property(curl_CURLFile_class, _this, "name", sizeof("name")-1 TSRMLS_CC);
+ zend_update_property_string(curl_CURLFile_class, _this, "name", sizeof("name")-1, "" TSRMLS_CC);
zend_throw_exception(NULL, "Unserialization of CURLFile instances is not allowed", 0 TSRMLS_CC);
}
/* }}} */
diff --git a/ext/curl/tests/bug73147.phpt b/ext/curl/tests/bug73147.phpt
new file mode 100644
index 0000000000..118177d871
--- /dev/null
+++ b/ext/curl/tests/bug73147.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #73147: Use After Free in PHP7 unserialize()
+--SKIPIF--
+<?php
+if (!extension_loaded("curl")) {
+ exit("skip curl extension not loaded");
+}
+?>
+--FILE--
+<?php
+
+$poc = 'a:1:{i:0;O:8:"CURLFile":1:{s:4:"name";R:1;}}';
+try {
+var_dump(unserialize($poc));
+} catch(Exception $e) {
+ echo $e->getMessage();
+}
+?>
+--EXPECT--
+Unserialization of CURLFile instances is not allowed