diff options
author | Stanislav Malyshev <stas@php.net> | 2016-09-25 19:53:59 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2016-09-25 19:53:59 -0700 |
commit | 0e6fe3a4c96be2d3e88389a5776f878021b4c59f (patch) | |
tree | b731bd6b607066d09b93bd548382f8fadc08a4c9 /ext/curl | |
parent | e1709b7e588cbda71c577f6e5b701713d0c70a23 (diff) | |
download | php-git-0e6fe3a4c96be2d3e88389a5776f878021b4c59f.tar.gz |
Fix bug #73147: Use After Free in PHP7 unserialize()
Diffstat (limited to 'ext/curl')
-rw-r--r-- | ext/curl/curl_file.c | 5 | ||||
-rw-r--r-- | ext/curl/tests/bug73147.phpt | 20 |
2 files changed, 24 insertions, 1 deletions
diff --git a/ext/curl/curl_file.c b/ext/curl/curl_file.c index 56c1bbe68b..029a58a914 100644 --- a/ext/curl/curl_file.c +++ b/ext/curl/curl_file.c @@ -137,7 +137,10 @@ ZEND_METHOD(CURLFile, setPostFilename) Unserialization handler */ ZEND_METHOD(CURLFile, __wakeup) { - zend_update_property_string(curl_CURLFile_class, getThis(), "name", sizeof("name")-1, "" TSRMLS_CC); + zval *_this = getThis(); + + zend_unset_property(curl_CURLFile_class, _this, "name", sizeof("name")-1 TSRMLS_CC); + zend_update_property_string(curl_CURLFile_class, _this, "name", sizeof("name")-1, "" TSRMLS_CC); zend_throw_exception(NULL, "Unserialization of CURLFile instances is not allowed", 0 TSRMLS_CC); } /* }}} */ diff --git a/ext/curl/tests/bug73147.phpt b/ext/curl/tests/bug73147.phpt new file mode 100644 index 0000000000..118177d871 --- /dev/null +++ b/ext/curl/tests/bug73147.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #73147: Use After Free in PHP7 unserialize() +--SKIPIF-- +<?php +if (!extension_loaded("curl")) { + exit("skip curl extension not loaded"); +} +?> +--FILE-- +<?php + +$poc = 'a:1:{i:0;O:8:"CURLFile":1:{s:4:"name";R:1;}}'; +try { +var_dump(unserialize($poc)); +} catch(Exception $e) { + echo $e->getMessage(); +} +?> +--EXPECT-- +Unserialization of CURLFile instances is not allowed |