diff options
author | Stanislav Malyshev <stas@php.net> | 2015-01-20 01:00:52 -0800 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2015-01-20 01:02:26 -0800 |
commit | e63f7b47e1937821e75e9862284c3150e1b1d524 (patch) | |
tree | 91874a75e9d1c333aefae6165552f9ed014f512d | |
parent | fc6aa939f59c9be0febe0fa141629e49541bab8c (diff) | |
parent | b585a3aed7880a5fa5c18e2b838fc96f40e075bd (diff) | |
download | php-git-e63f7b47e1937821e75e9862284c3150e1b1d524.tar.gz |
Merge branch 'bug68710' into PHP-5.4
* bug68710:
Fix for bug #68710 (Use After Free Vulnerability in PHP's unserialize())
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | ext/standard/tests/strings/bug68710.phpt | 25 | ||||
-rw-r--r-- | ext/standard/var_unserializer.c | 4 | ||||
-rw-r--r-- | ext/standard/var_unserializer.re | 2 |
4 files changed, 32 insertions, 3 deletions
@@ -1,6 +1,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 20?? PHP 5.4.37 +- Core: + . Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). + (CVE-2015-0231) (Stefan Esser) + - CGI: . Fixed bug #68618 (out of bounds read crashes php-cgi). (Stas) diff --git a/ext/standard/tests/strings/bug68710.phpt b/ext/standard/tests/strings/bug68710.phpt new file mode 100644 index 0000000000..729a12011b --- /dev/null +++ b/ext/standard/tests/strings/bug68710.phpt @@ -0,0 +1,25 @@ +--TEST-- +Bug #68710 Use after free vulnerability in unserialize() (bypassing the +CVE-2014-8142 fix) +--FILE-- +<?php +for ($i=4; $i<100; $i++) { + $m = new StdClass(); + + $u = array(1); + + $m->aaa = array(1,2,&$u,4,5); + $m->bbb = 1; + $m->ccc = &$u; + $m->ddd = str_repeat("A", $i); + + $z = serialize($m); + $z = str_replace("aaa", "123", $z); + $z = str_replace("bbb", "123", $z); + $y = unserialize($z); + $z = serialize($y); +} +?> +===DONE=== +--EXPECTF-- +===DONE=== diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index a12d2fa24e..f114080b86 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -1,4 +1,4 @@ -/* Generated by re2c 0.13.7.5 on Thu Dec 11 19:26:19 2014 */ +/* Generated by re2c 0.13.7.5 on Thu Jan 1 14:43:18 2015 */ #line 1 "ext/standard/var_unserializer.re" /* +----------------------------------------------------------------------+ @@ -343,7 +343,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long } else { /* object properties should include no integers */ convert_to_string(key); - if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { var_push_dtor(var_hash, old_data); } zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index 4cf1d10832..f04fc74c31 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -347,7 +347,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long } else { /* object properties should include no integers */ convert_to_string(key); - if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { var_push_dtor(var_hash, old_data); } zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, |