diff options
author | Stanislav Malyshev <stas@php.net> | 2015-01-31 22:40:08 -0800 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2015-02-17 06:43:51 +0100 |
commit | 7b1898183032eeabc64a086ff040af991cebcd93 (patch) | |
tree | 81778340a2d8687fcfdd879894da2ffa5d8960a2 | |
parent | 82d347a477e2b7c0001c9b58d0b67048ed63af04 (diff) | |
download | php-git-7b1898183032eeabc64a086ff040af991cebcd93.tar.gz |
Fix bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone)
Conflicts:
ext/date/php_date.c
-rw-r--r-- | ext/date/php_date.c | 10 | ||||
-rw-r--r-- | ext/date/tests/bug68942_2.phpt | 9 |
2 files changed, 12 insertions, 7 deletions
diff --git a/ext/date/php_date.c b/ext/date/php_date.c index 92e9480a43..08bfd0899b 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -2575,12 +2575,9 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht timelib_tzinfo *tzi; php_timezone_obj *tzobj; - if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) { - convert_to_string(*z_date); - if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { - convert_to_long(*z_timezone_type); - if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { - convert_to_string(*z_timezone); + if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) { + if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) { + if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) { switch (Z_LVAL_PP(z_timezone_type)) { case TIMELIB_ZONETYPE_OFFSET: @@ -2595,7 +2592,6 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht case TIMELIB_ZONETYPE_ID: { int ret; - convert_to_string(*z_timezone); tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC); diff --git a/ext/date/tests/bug68942_2.phpt b/ext/date/tests/bug68942_2.phpt new file mode 100644 index 0000000000..5b02567008 --- /dev/null +++ b/ext/date/tests/bug68942_2.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #68942 (Use after free vulnerability in unserialize() with DateTime). +--FILE-- +<?php +$data = unserialize('a:2:{i:0;O:8:"DateTime":3:{s:4:"date";s:26:"2000-01-01 00:00:00.000000";s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:5;}'); +var_dump($data); +?> +--EXPECTF-- +Fatal error: Invalid serialization data for DateTime object in %s/bug68942_2.php on line %d |