diff options
| -rw-r--r-- | Zend/zend_API.c | 18 | ||||
| -rw-r--r-- | Zend/zend_API.h | 1 | ||||
| -rw-r--r-- | ext/curl/curl_file.c | 1 | ||||
| -rw-r--r-- | ext/curl/tests/bug73147.phpt | 20 |
4 files changed, 40 insertions, 0 deletions
diff --git a/Zend/zend_API.c b/Zend/zend_API.c index 6ce60e1f06..a71aca8106 100644 --- a/Zend/zend_API.c +++ b/Zend/zend_API.c @@ -3886,6 +3886,24 @@ ZEND_API void zend_update_property_null(zend_class_entry *scope, zval *object, c } /* }}} */ +ZEND_API void zend_unset_property(zend_class_entry *scope, zval *object, const char *name, size_t name_length) /* {{{ */ +{ + zval property; + zend_class_entry *old_scope = EG(scope); + + EG(scope) = scope; + + if (!Z_OBJ_HT_P(object)->unset_property) { + zend_error_noreturn(E_CORE_ERROR, "Property %s of class %s cannot be unset", name, ZSTR_VAL(Z_OBJCE_P(object)->name)); + } + ZVAL_STRINGL(&property, name, name_length); + Z_OBJ_HT_P(object)->unset_property(object, &property, 0); + zval_ptr_dtor(&property); + + EG(scope) = old_scope; +} +/* }}} */ + ZEND_API void zend_update_property_bool(zend_class_entry *scope, zval *object, const char *name, size_t name_length, zend_long value) /* {{{ */ { zval tmp; diff --git a/Zend/zend_API.h b/Zend/zend_API.h index 199e88a8af..8c4a2ccccd 100644 --- a/Zend/zend_API.h +++ b/Zend/zend_API.h @@ -346,6 +346,7 @@ ZEND_API void zend_update_property_double(zend_class_entry *scope, zval *object, ZEND_API void zend_update_property_str(zend_class_entry *scope, zval *object, const char *name, size_t name_length, zend_string *value); ZEND_API void zend_update_property_string(zend_class_entry *scope, zval *object, const char *name, size_t name_length, const char *value); ZEND_API void zend_update_property_stringl(zend_class_entry *scope, zval *object, const char *name, size_t name_length, const char *value, size_t value_length); +ZEND_API void zend_unset_property(zend_class_entry *scope, zval *object, const char *name, size_t name_length); ZEND_API int zend_update_static_property(zend_class_entry *scope, const char *name, size_t name_length, zval *value); ZEND_API int zend_update_static_property_null(zend_class_entry *scope, const char *name, size_t name_length); diff --git a/ext/curl/curl_file.c b/ext/curl/curl_file.c index de173a5f42..ba8a7de108 100644 --- a/ext/curl/curl_file.c +++ b/ext/curl/curl_file.c @@ -137,6 +137,7 @@ ZEND_METHOD(CURLFile, setPostFilename) Unserialization handler */ ZEND_METHOD(CURLFile, __wakeup) { + zend_unset_property(curl_CURLFile_class, getThis(), "name", sizeof("name")-1); zend_update_property_string(curl_CURLFile_class, getThis(), "name", sizeof("name")-1, ""); zend_throw_exception(NULL, "Unserialization of CURLFile instances is not allowed", 0); } diff --git a/ext/curl/tests/bug73147.phpt b/ext/curl/tests/bug73147.phpt new file mode 100644 index 0000000000..118177d871 --- /dev/null +++ b/ext/curl/tests/bug73147.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #73147: Use After Free in PHP7 unserialize() +--SKIPIF-- +<?php +if (!extension_loaded("curl")) { + exit("skip curl extension not loaded"); +} +?> +--FILE-- +<?php + +$poc = 'a:1:{i:0;O:8:"CURLFile":1:{s:4:"name";R:1;}}'; +try { +var_dump(unserialize($poc)); +} catch(Exception $e) { + echo $e->getMessage(); +} +?> +--EXPECT-- +Unserialization of CURLFile instances is not allowed |