diff options
author | Stanislav Malyshev <stas@php.net> | 2016-09-25 19:53:59 -0700 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2016-10-12 17:51:15 +0200 |
commit | f42cbd749cde1f91274c1d03df9024baba141a8f (patch) | |
tree | f1e6c542b4c4b1799581a60c672db74dcc6d1436 /ext/curl | |
parent | efc1f33b58b0936539ea6ca1de345bd83c7e8f26 (diff) | |
download | php-git-f42cbd749cde1f91274c1d03df9024baba141a8f.tar.gz |
Fix bug #73147: Use After Free in PHP7 unserialize()
(cherry picked from commit 0e6fe3a4c96be2d3e88389a5776f878021b4c59f)
Diffstat (limited to 'ext/curl')
-rw-r--r-- | ext/curl/curl_file.c | 1 | ||||
-rw-r--r-- | ext/curl/tests/bug73147.phpt | 20 |
2 files changed, 21 insertions, 0 deletions
diff --git a/ext/curl/curl_file.c b/ext/curl/curl_file.c index de173a5f42..ba8a7de108 100644 --- a/ext/curl/curl_file.c +++ b/ext/curl/curl_file.c @@ -137,6 +137,7 @@ ZEND_METHOD(CURLFile, setPostFilename) Unserialization handler */ ZEND_METHOD(CURLFile, __wakeup) { + zend_unset_property(curl_CURLFile_class, getThis(), "name", sizeof("name")-1); zend_update_property_string(curl_CURLFile_class, getThis(), "name", sizeof("name")-1, ""); zend_throw_exception(NULL, "Unserialization of CURLFile instances is not allowed", 0); } diff --git a/ext/curl/tests/bug73147.phpt b/ext/curl/tests/bug73147.phpt new file mode 100644 index 0000000000..118177d871 --- /dev/null +++ b/ext/curl/tests/bug73147.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #73147: Use After Free in PHP7 unserialize() +--SKIPIF-- +<?php +if (!extension_loaded("curl")) { + exit("skip curl extension not loaded"); +} +?> +--FILE-- +<?php + +$poc = 'a:1:{i:0;O:8:"CURLFile":1:{s:4:"name";R:1;}}'; +try { +var_dump(unserialize($poc)); +} catch(Exception $e) { + echo $e->getMessage(); +} +?> +--EXPECT-- +Unserialization of CURLFile instances is not allowed |