diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-07-19 01:35:58 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-07-19 01:39:28 -0700 |
| commit | b00f8f2a5bae651d6375ca34c676963f1f25ee5a (patch) | |
| tree | aeffcdefca1269348c8b42e200b380044154ecad /ext/snmp/tests | |
| parent | e9a58bee24a4004e50a59d0d01927e6632d6da27 (diff) | |
| parent | 4d0565b5bad444b0652379668c5116b74ee13747 (diff) | |
| download | php-git-b00f8f2a5bae651d6375ca34c676963f1f25ee5a.tar.gz | |
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6:
fix #72519, possible OOB using imagegif
fix #72512, invalid read or write for palette image when invalid transparent index is used
Apparently some envs miss SIZE_MAX
Fix tests
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t
Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
Fix for bug #72558, Integer overflow error within _gdContributionsAlloc()
Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE
Fix bug #72562 - destroy var_hash properly
Fix bug #72533 (locale_accept_from_http out-of-bounds access)
Fix fir bug #72520
Fix for bug #72513
Fix for bug #72513
CS fix and comments with bug ID
Fix for HTTP_PROXY issue.
5.6.24RC1
add tests for bug #72512
Fixed bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access
Fixed bug #72479 - same as #72434
Conflicts:
Zend/zend_virtual_cwd.c
ext/bz2/bz2.c
ext/exif/exif.c
ext/session/session.c
ext/snmp/snmp.c
ext/standard/basic_functions.c
main/SAPI.c
main/php_variables.c
Diffstat (limited to 'ext/snmp/tests')
| -rw-r--r-- | ext/snmp/tests/bug72479.phpt | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/ext/snmp/tests/bug72479.phpt b/ext/snmp/tests/bug72479.phpt new file mode 100644 index 0000000000..0308754360 --- /dev/null +++ b/ext/snmp/tests/bug72479.phpt @@ -0,0 +1,35 @@ +--TEST-- +Bug #72479: Use After Free Vulnerability in SNMP with GC and unserialize() +--SKIPIF-- +<?php +require_once(dirname(__FILE__).'/skipif.inc'); +?> +--FILE-- +<?php +$arr = [1, [1, 2, 3, 4, 5], 3, 4, 5]; +$poc = 'a:3:{i:1;N;i:2;O:4:"snmp":1:{s:11:"quick_print";'.serialize($arr).'}i:1;R:7;}'; +$out = unserialize($poc); +gc_collect_cycles(); +$fakezval = ptr2str(1122334455); +$fakezval .= ptr2str(0); +$fakezval .= "\x00\x00\x00\x00"; +$fakezval .= "\x01"; +$fakezval .= "\x00"; +$fakezval .= "\x00\x00"; +for ($i = 0; $i < 5; $i++) { + $v[$i] = $fakezval.$i; +} +var_dump($out[1]); + +function ptr2str($ptr) +{ + $out = ''; + for ($i = 0; $i < 8; $i++) { + $out .= chr($ptr & 0xff); + $ptr >>= 8; + } + return $out; +} +?> +--EXPECT-- +int(1)
\ No newline at end of file |